Globalization and advancement of
technology have posed greater threat to the privacy of individuals. We have
made tremendous progress in digitalization with Government initiatives of
Digital India and E-locker, the data in government departments in stored in
e-format and available online. Moreover, the sensitive data available in form
of AADHAR details is a matter of great concern for all stakeholders. It is estimated that India has
approximately 550 million users, considering the quantum of data at stake; time
and again the absentia of law on the subject is felt as a major factor
contributing to data piracy. Data protection is a necessity, it becomes more
obvious when the amount of data created and stored continues to grow at an
unprecedented rate, coupled with exploitation and mishandling of such data by
companies without the consent of the individual. The companies and other
repositories of data generally tends to make regulations and legislation which
serve their purpose and are inclined towards their benefit, empowering them to
use data at their disposal with minimum provider’s control. With a view to
safeguard the data available with various agencies, and to curb the trade in data
without the user’s consent, the Personal Data Protection (PDP) Bill was
drafted.
This Bill was introduced in the Lok
Sabah by Mr. Ravi Shankar Prasad, Minister of Electronics and Information
Technology (MEIT) on December 11, 2019, later, it was referred to a Joint
Parliamentary Committee for scrutiny. This Bill was introduced with an aim to
protect the personal data of the individual, to lays down the guidelines and
rules for the utilization of data and to the established data protection
authority.
The litigation history
of data protection regime in India started, can be formally traced back to the
petition filed before the Hon’ble Supreme Court by Retired Justice K.S.
Puttaswamy. The court has in its a landmark judgment held that the right to
privacy is protected as “an intrinsic part of the right to life and personal
liberty under Article 21 and as a part of the freedoms guaranteed by Part III
of the Constitution”.[1] In K.S. Puttaswamy v Union
of India[2], the Court read the right
to privacy to be a fundamental right but with subject to reasonable
restrictions, the restrictions have to meet a three-fold requirement, namely
(i) existence of a law; (ii) legitimate state aim; (iii) proportionality.[3] According to the judgment,
the Supreme Court also direct the government to form a data protection law to
address the concerns related to privacy in the digital age. A committee of
experts headed by the Justice B.N. Srikrishna, was set up to assess the current scenario of data
protection in India, recommend ways to tackle the problems surrounding it and
draft a data protection bill, 2018 but after various criticism bill was later
presented in 2019 again.
This time Bill includes several modifications and changes in scope
and intent for creating framework for “organizational and
technical measures” of data processing, introduce “accountability of entities
processing personal data”, and lay down norms for social media intermediaries
and cross border transfer[4]. In a nut shell, the Bill continues to require that
Personal Data[5]
be processed fairly and reasonably while guaranteeing the
protection of the privacy of
the Data Principal[6],
for purposes that are associated and consented to by the Data Principal, or
purposes incidental or connected thereto[7]. These
are the summary of the key changes relevant to private Data Fiduciaries[8]. The
Bill has also made certain changes to the provisions relating to the processing[9] of Personal
Data by Central and State Governments.
Data protection is the process of protecting the personal and
sensitive information of citizens and preventing it from misuse. The quote is
newly popularized which states ‘Data is the new oil’ and highlights the
power that data holds. The Union Minister Ravi Shankar Prasad highlighted this
by emphasizing the importance of utilizing ‘anonymised data’[10] for policy innovation
during the presentation of the PDP Bill
in the Parliament.[11]The Bill aims to protect "Personal Data"[12]
relating to the identity, characteristics trait, attribute of a natural person
and "Sensitive Personal Data”[13] such as
financial data, health data, official identifier, sex life, sexual orientation,
biometric data, genetic data, transgender status, intersex status, caste or
tribe, religious or political beliefs.
Section 2 [14]of the
PDP Bill proposes its applicability for processing of personal data that has
been collected, disclosed, shared or otherwise processed within the territory
of India;
(a)
By the government, any Indian Company, any citizen of India or any person or
body of persons incorporated in India, and
(b)
Foreign companies dealing with personal data of individuals in India.
The
PDPB shall not apply to the processing of anonymised data, other than the
anonymised data or other non-personal data to enable better targeting of
delivery of services or formulation of evidence-based policies by the Central
Government.[15]
Strength and Positive
Aspects of the Bill
Every legislation has
certain affirmative as well as debatably controversial aspects which are meant
to be scrutinized. This said Bill also contains various clauses which intend to
strengthen the protection and prevent misuse of data. Chapter V of the PDP Bill
gives Indian citizens several rights like the Right to Confirmation and Access[16], Right to Correction and
Erasure[17], Right to Data
Portability[18]
, and Right to be forgotten[19].These rights permits citizens
to seek information from the data fiduciary and processing companies of
processing that their data which has been or is being subjected to, seek
correction for inaccurate or outdated data, to ask for transfer of data to
other data fiduciaries, and limit the continuing divulgence of their data by
the fiduciary.
The special provisions contained
the Chapter IV of the Bill provide for the processing of personal data and
sensitive data of children. According to this section, data fiduciaries
handling data of children shall process it only after verifying the age of the
child and after obtaining consent from the child’s parent or guardian. Business and commercial sites or online services
focused on kids or who process huge volumes of personal information which
belongs to children have been characterized under the Bill as Guardian Data
Fiduciaries. Such fiduciaries are banned from monitoring or targeting
advertisements at children unless they are providing counselling or child
protection in which case they shall be exempt from seeking verification. [20]
Another
feature of the Bill is the appointment
of
the Data Protection Officer as a state of contact for complaints and grievances
of information and data principals. This makes it simpler for data principals
to get their interests with a data
fiduciary addressed.[21]
Chapter X of the Bill also lays out
the penalties and compensation for potential offenders under the Bill. Offenders
who process or transfer personal data without consent and falls in a manner
that violates the Bill will be fined with either INR 15 crore or 4% of the
annual turnover of the company, whichever is higher and Offences regarding the
failure to conduct data audits are punishable with a fine of INR 5 crore or 2%
of the data fiduciary’s annual turnover, whichever is higher.[22]
Criticism
The
major controversy surrounding the Data Protection Bill was started when the
Bill was sent to Joint Parliamentary Committee rather than standing committee
which is headed by opposition party leader. Various provisions of Bill have
been in controversies since the very beginning as it gives more power to
central Government rather than the data protection authority. While the draft
Bill prepared by the Justice Srikrishna Committee (the 2018 draft) allowed the
government to have access to personal data for security purposes only, on other
hand the 2019 Bill gives the government access to non-personal data as well.
This has drawn criticism from Justice B N Srikrishna himself. According to him,
non-personal data should have been addressed in a different Bill and not be
included with personal data because it gives the government the right to seek
any non-personal data from companies. This clause allows the government to
access business data, including data on intellectual property, business
strategy, and mergers and acquisitions, that may not be personal data but
necessary from a business point of view [23]. The exemption given to
government agencies under Section 35[24] is likely to send a
negative message to the global investor network [25]
Another
concern is regarding the selection and composition of the Data Protection Authority.
The selection of the DPA is dependent on the Central Government only. The
original 2018 Bill included a judicial member in the form of the Chief Justice
of India or another Supreme Court judge in the selection committee which the
2019 Bill does not include. The participation of judicial members in the
process will increase the independence and accountability of the Authority as
well as lead to better scrutiny of government agencies with access to personal
data. This issue can be addressed by simply making qualifications related to
data protection and information technology. Compulsory for appointment and composition
of the Data Protection Authority.
The
2019 Bill also does not include the principles of necessity and proportionality
that the 2018 draft included. Section 36 of the Bill provide provision for “Exemption
of certain provisions for certain processing of personal data” which lay down
criteria which proves the situations necessity
to provide access to government agencies of personal data of individuals. In this
situation the principle of proportionality requires by the authorities to
strike a balance between the means used and the intended aims. Such an
exception raises concerns with respect to government surveillance of personal
data.
Conclusion
The
Personal Data Protection Bill is an attempt to balance the conflicting
interests of the Government and other stakeholders on one hand and the rights
of individuals on the other. It is said
to bridge the gap caused by absentia of a legislation extending statutory
protection to data and for the prevention of internet misuse. Earlier, under
the Information Technology Act, 2000[26] to the provisions for punishment
for the offenders of data leaking and monitoring illegally, were contained. This
Bill intend to provide a framework that is essential to address digital privacy
on the internet through
checks and balances to preserve the trust between said individuals and the
entities that have access to their personal data. The clause of
essential rights in Bill which provide power to individuals in order to
restrict the use and disclosure of their personal data by a data fiduciary has
the potential to empower individuals against its misuse. However, in its
current state, concerns are raised because of lack of accountability attached
to the access given to the Central Government and its agencies in the Bill. Justice
BN Shrikrishna said “they have removed the safeguards. This is dangerous. The
government can at any time access private data or government agency data on the
grounds of sovereignty or public order. This has dangerous implications.”[27] He also mentioned this Bill
will turn India into an Orwellian State. Orwellian sate means a political
system which tries to control every part of people’s lives.[28] Observing these
statements and various Exclusion of the principles like necessity and
proportionality from the Bill also perpetuates the unconstitutional practice of
allowing the government access to personal data without appropriate safeguards
in place and can violates fundamental right to privacy.
[1] Jyoti Panday, “India's Supreme
Court Upholds Right to Privacy as a Fundamental Right—and It's About Time”,
Deeplink Blog, August 28,2017; available at https://www.e.org/deeplinks/2017/08/indias-supreme-court-upholds-rightprivacy-fundamental-right-and-its-about-time. Last visited on June 2, 2020.
[2] (2017) 10 SCC 641 (“Puttaswamy
I”).
[3] Amber Sinha “comments to the
personal data protection Bill 2019”, The Centre for internet & society
(CIS) available at https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-Bill-2019. Last visited on June 2, 2020.
[4] The Personal Data Protection
Bill,2019, s. 26 & 33.
[5] The Personal Data Protection Bill,
2019, ss.28, s.3.
[6] The Personal Data Protection Bill,
2019, ss. a, s.5
[7] The Personal Data Protection Bill,
2019, ss. b, s.5.
[8] The Personal Data Protection Bill,
2019, ss. 13, s.3.
[9]The Personal Data Protection Bill,
2019, ss. 31, s.3.
[10] The Personal Data Protection
Bill,2019, ss. 3, s.3.
[11]“ Lok Sabha refers Personal Data
Protection Bill to joint panel; Prasad says 'anonymized data' should be
available for policy making”, Business Standard, December 12, 2019. Available
at https://www.business-standard.com/article/news-ani/lok-sabha-referspersonal-data-protection-bill-to-joint-panel-prasad-says-anonymized-datashould-be-available-for-policy-making-119121200044_1.html. Last visited on June 3,2020.
[12]
Supra 6
[13] The Personal Data Protection Bill,
2019, ss. 36., s.3.
[14] The Personal Data Protection Bill,
2019, s.2.
[15] The Personal Data Protection Bill,
2019, s.91.
[16] The Personal Data Protection Bill,
2019, s.17.
[17] The Personal Data Protection Bill,
2019, s.18.
[18] The Personal Data Protection Bill,
2019, s.19.
[19] The Personal Data Protection Bill,
2019, s.20.
[20] The Personal Data Protection Bill,
2019, s.16.
[21] The Personal Data Protection Bill,
2019, s.30.
[22] The Personal Data Protection Bill,
2019, s.66.
[23] “Key
Changes in the Personal Data Protection Bill, 2019 from the Srikrishna
Committee Draft”, defender of your digital freedom, sflc.in( December 11,2019).
available at https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft
last visited on June 3,2020.
[24] The Personal Data Protection Bill,
2019, s.35.
[25] Supra
11 at pg.2
[26]
Information Technology Act,2000, s.43.
[27] Mandavia,
M.(2019). “Personal data protection Bill can turn india into ‘Orwellian State”:
Justice BN Srikrishna”, The Economics Times, available at
https://economicstimes.indiatimes.com/news/economy/policy/ Personal-data-protection-bill-can-turn-india-into-‘Orwellian-State”:-Justice-BN-Srikrishna/articleshow/72483355.cms?from=mdr.
Last visited on June 3, 2020
[28] Dicitionary.cambridge.org.(2020).
Orwellian|meaning in the Cambridge
English dictionary. online
0 Comments