By Vibhav Krishna and Shambhavy Singh
Introduction
The world has been under the threat of COVID-19 for over six months now. With quarantine and lockdowns into effect, people have been finding different ways to stay positive and be productive. Internet has been one of the biggest reliefs in such times. Consequently, an industry which has gained momentum in a while is the online gaming industry.[1]
The authors in this paper will analyse two questions. Firstly, whether the personal data of the fantasy sports games (‘FSGs’) user is secured and secondly, what changes are required by the operators of FSGs in their privacy policy to make it consistent with the Personal Data Protection Bill, 2019 (‘the Bill’).
According to the Esports Federation of India, there are 300 million online gaming enthusiasts who have contributed heavily to the $1.1 billion market by 2020.[2] Evidently, the craze of online fantasy sports games in India is increasing with each passing day.
FSGs are those which involve the users to create a team of their own from the players made available to them, on the online platform, by using their skills, judgement, and experience, developed over a period of time by playing the games, which are to be played at a scheduled time.[3] Theses platforms tend to charge an entry fee, which goes into an escrow account and the same is used for distributing rewards to the winners.[4]
Judicial Stand on FSG
The primary legal question arising in one’s mind is whether FSGs are legal or fall within the ambit of gambling.
In the recent past there have been multiple disputes with respect to the legality of such games in spite of the judgement in Dr K.R. Lakshmanan v. State of Tamil Nadu[5], wherein it was established by the Supreme Court (‘SC’) that the competition where success depends on substantial degree of skill is not ‘gambling’ and despite there being an element of chance if a game is preponderantly involving skill, it would be a ‘game of skill’.
In Varun Gumber v. Union Territory of Chandigarh[6], the contention on behalf of the petitioners has largely been around Dream 11, that whether there is a commission of the offence of betting and gambling. The High Court (‘HC’) of Punjab & Haryana held that FSGs are one of skill and not a game of luck, thereby legalising the advent of such games being played on an online platform. This was predominantly referred to by the Bombay HC in Gurdeep Singh Sachar v. Union of India[7], where the petitioner had filed a criminal complaint against Dream 11, for carrying out gambling under the pretext of FSGs. Even the Rajasthan HC in Chandresh Sankhla v. State of Rajasthan[8], agreed with the decision of the former.
Later, a petition was brought before the SC by the State of Maharashtra[9] against the order of the Bombay HC for considering Dream 11 as a game of skill and to review the activities of the operators for the purposes of formulating GST. The Court issued notices to the parties scheduling a hearing, which got delayed due to the Covid-19 crisis. This has put the status quo in a conundrum, though the judgements of the Punjab & Haryana and Rajasthan HCs still hold good.
Following the brawl of Dream 11, a PIL has been filed in the Madras HC seeking a criminal action against the brand ambassadors of a similar gaming application, viz, Mobile Premier League (‘MPL’).[10] MPL is an application available for downloading via a link which is sent to an individual’s mobile via his/her phone number.[11] The case shall be taken up in the HC to decide if it falls under the category of FSGs or online gambling.
MPL and the Personal Data Protection Bill, 2019
We would like to note that the claims in the article are not exhaustive but provide an overview of the MPL privacy policy vis-à-vis the Bill.
In K.S Puttaswamy v Union of India[12], the SC has identified data privacy as a human right and opined that it falls under right to life[13]as enshrined in the Indian Constitution. In line with Puttaswamy, the then Minister of Electronics and Information Technology introduced the Bill.
The Bill provides protection to the personal data of data principals[14] (a natural person to whom the personal data relates) (‘DP’) who have provided it for processing[15] (set of operations performed on personal data for e.g., collection, recording, alteration, use, disclosure etc). Data fiduciaries (any person who determines the purpose and terms of processing of personal data)[16] (‘DF’) ensure that the data is collected for a specific and lawful purpose.
The role of a free and clear consent finds an important place in the Bill. It uses the term ‘informed consent’[17], i.e., the DP has to be informed about the purpose of his data being collected and processed by the DF. The quintessential quality of the mentioned consent is that it is capable of being withdrawn by the DP.[18] Personal data cannot be stored beyond a period necessary to satisfy the purpose and the data must be deleted once such purpose is complete[19].
Usage of the personal data of individuals by MPL
The Bill defines personal data[20] as any data through which a person could be identified directly or indirectly or from which any inference could be drawn for the purpose of any data profiling.
MPL is available for use once information like basic contact, demographic and financial data (for disbursement of prizes) is provided.[21] The collection and retention of such information by the application falls within the ambit of personal data defined by the Bill. The app mentions to its user that there is nothing such as a complete security[22] and it is dubious as to how this will hold water with the provisions of the Bill.
Under general clause 1of the MPL Privacy Policy[23] an individual is supposed to consent to the collection, retention and use of his/her personal data in order to use the application.[24] The privacy policies of MPL fail to provide a clear and specific purpose for which the consent of the players is taken. It is the obligation of the DF to process only such data for which the consent is given.[25] The DF is supposed to deliver a notice regarding the same[26], at the time of collection of the data, mentioning the purpose, nature and categories of data, right of DP to withdraw consent, individual or entities with whom such personal data may be shared, procedure of grievance and, period for which data shall be retained.[27] Hence, in the opinion of the authors, the mere fact that an individual by consenting to MPL’s privacy policy only by the use of the application, is not consistent with the provisions of the Bill, and does not render it secure.
What changes need to be done to ensure compliance?
According to the Bill, the company needs to adopt a Design Policy (approved by the Deputy Protection Authority) and publish the same on their respective websites.[28] The Design Policy provides the steps through which an organisation shall ensure compliance with the provisions of the Bill.
Monetary penalties are also in order if corporate fails to comply with certain provisions in the Bill[29]. The Bill also criminalises activities that results in re-identification of individual by the DF and makes it a cognisable offence.[30] The DF shall not retain any personal data beyond a required period to satisfy the purpose, and the data shall be deleted once the purpose is complete.[31] It requires the DF to ensure periodic audit as to whether it is necessary to retain the personal data in its possession.[32] Therefore, the privacy policy must also include the time limit for which the data will be stored by the company and what steps will it take to ensure that the data is deleted after its purpose is served.
Hence, the Bill comes into place to protect the users when their personal data makes them vulnerable. If the Design Policy is adopted and implemented effectively, it shall give way to a less problematic informed consent system. This would aid the users in limiting the use of their personal data only to the purposes to which they had consented for in the first place. The consenting users are thereby permitted to make their own choices. It shall further make the submission and processing of user data more user-oriented, as the bill tends to shift its focus from taking preventive measures to force changes into the pre-existing data-sharing policies of the operators which are unfair and deceiving.
The authors, Vibhav Krishna and Shambavy Singh, are currently law students at the National Law University, Jodhpur.
[1] Garima Bora, For Indian Gaming Startups, COVID – 19 Lockdown is a Boon for Business, The Economic Times (13/04/2020), available at https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/for-indian-gaming-startups-covid-19-lockdown-is-a-boon-for-business/articleshow/75115595.cms?from=mdr, last seen on 06/08/2020.
[2] Esports Federation of India, http://esportsfederation.in/#IESF, last seen on 30/07/2020.
[3] Shree Varun Gumbar v. Union Territory of Chandigarh, Case No. CWP-7559-2017 (Punjab & Haryana High Court, 18/04/2017).
[4] Gurdeep Singh Sachar v. Union of India, Criminal Public Interest Litigation Stamp No. 22 of 2019 (Bombay High Court, 30/04/2019).
[5] Dr. K.R. Lakshmanan v. State of Tamil Nadu, (1996) 2 SCC 226.
[6] Shree Varun Gumbar v. Union Territory of Chandigarh, Case No. CWP-7559-2017 (Punjab & Haryana High Court, 18/04/2017).
[7] Gurdeep Singh Sachar v. Union of India, Criminal Public Interest Litigation Stamp No. 22 of 2019 (Bombay High Court, 30/04/2019).
[8] Chandresh Sankhla v. State of Rajasthan, 2020 SCCOnline Raj 264.
[9] State of Maharashtra & Ors. v. Gurdeep Singh Sachar & Ors.[4], Special Leave Petition (Criminal) Diary No(s). 42282/2019 (Supreme Court of India, 06/03/2020).
[10] Meera Emmanuel, PIL in Madras HC Seeks Arrest of Virat Kohli, Tamannah, Other Celebs Promoting Online Gambling Websites, Bar & Bench (02/08/2020), available at https://www.barandbench.com/news/litigation/pil-madras-hc-seeks-arrest-of-virat-kohli-tamannah-promoting-online-gambling-websites, last seen on 06/08/2020.
[11] Yash Tripathi, What Is MPL? How To Download MPL App That Gives Cash For Playing Your Favorite Games?, Republic World (08/04/2020), available at https://www.republicworld.com/technology-news/apps/what-is-mpl-how-to-download-mpl-app-that-gives-cash-for-playing-games.html, last seen on 06/08/2020.
[12] K.S Puttaswamy v. Union of India, (2017) 10 SCC 1.
[13] Article 21, The Constitution of India.
[14] Section 3(14), Personal Data Protection Bill, 2019 (pending).
[15] Section 3 (31), Personal Data Protection Bill, 2019(pending).
[16] Section 3(13), Personal Data Protection Bill, 2019(pending).
[17] Section 11 (2) (b), Personal Data Protection Bill, 2019(pending).
[18] Section 7 (1) (d), Personal Data Protection Bill, 2019(pending).
[19] Section 9 (1), Personal Data Protection Bill, 2019(pending).
[20] Section 3(28), Personal Data Protection Bill, 2019(pending).
[21]MPL Privacy Policy, https://about.mpl.live/privacy/?_ga=2.114036612.2084522438.1595312699-678437031.1594561986&_gac=1.226365672.1594796880.Cj0KCQjw0rr4BRCtARIsAB0_48MNHnZPMkf4UbBQRPPAujFztvfiJnGJtnlBqFcGansFHa_x0BjKYLAaAtv4EALw_wcB, last seen on 01/08/2020.
[22] Clause 5.2, MPL Privacy Policy, Supra at 18.
[23] Supra 18.
[24] Clause 1.1., MPL Privacy Policy, ibid.
[25] Section 5 (b), Personal Data Protection Bill, 2019(pending).
[26] Section 7, Personal Data Protection Bill, 2019(pending).
[27] Section 9, Personal Data Protection Bill, 2019(pending).
[28] Section 22, Personal Data Protection Bill, 2019(pending).
[29] Chapter X, Penalties and Compensation, Personal Data Protection Bill, 2019(pending).
[30] Section 82 and 83, Personal Data Protection Bill, 2019(pending).
[31] Section 9, Personal Data Protection Bill, 2019(pending).
[32] Section 29, Personal Data Protection Bill, 2019(pending).
The Journal of Indian Law and Society Blog 