Reading time: 8-10 minutes.
On December 11, 2019, the Minister of Electronics and Information Technology, Ravi Shankar Prasad introduced “The Personal Data Protection Bill” in the lower house. The bill aims to ensure, inter-alia, the protection of individuals’ privacy in relation to their personal data, the transparency of organisations and institutions processing personal data, and to establish a Data Protection Authority (hereinafter referred to as “DPA”), for the various purposes that the Bill seeks to fulfil. The Bill is the response of the Government of India to the long-standing need for a “data protection regime” to protect citizens’ personal data that they knowingly or unknowingly provide to various internet websites.
The Government of India constituted a Committee of experts on Data Protection on 31st July 2017, which was headed by Justice B. N. Srikrishna, to examine the issues pertaining to the Data Protection in India, and the report of this Committee was submitted on 27th July, 2018. Later, the Government placed the Bill in public domain, for feedback and suggestions from various stakeholders, ministers and consultants. Based on these suggestions the Union Cabinet approved a revised Personal Data Protection Bill, 2019, on December 4th, 2019. Later, the Bill was introduced in the Lok Sabha on December 11, 2019 and was referred to a Joint Select Committee of both the houses.
The right to privacy has been recently recognised as a fundamental right emerging primarily from Article 21 of the Constitution, in Justice K.S. Puttaswamy (Retd.) v. Union of India. To make this right meaningful, it is the duty of the State to put in place a data protection framework which, while protecting citizens from dangers to informational privacy originating from State and Non-State actors, serves the common good. It is this understanding of the State’s duty that the Committee must work with, while creating a data protection framework.
Major Features of the Bill:
The Bill regulates the processing of personal data by States, companies incorporated in India, and international companies dealing with personal data of individuals in India. The Bill sets out the fiduciary data responsibilities (i.e. the body deciding the intent and means of processing personal data) that certain accountability and transparency steps must be taken when detecting the data. The Bill requires personal data to be handled by data fiduciaries only if the data principal (i.e. the person to whom the data relates) has given his permission.
The Bill further provides a legal framework for the collection and use of personal information. While providing a collection of rights and obligations for the processing of personal data, the Bill proposes the creation of a DPA, to control and implement the legal structure. The Bill also vests the Central Government with substantial standard-setting powers and tasks the DPA with implementing the same. An important characteristic of the Bill is, its broad scope of applicability. If implemented, it would apply to all companies other than those expressly exempted across India. This will involve any organization that collects data using automated means. The DPA shall have the power to define small entities based on turnover, data volume handled and data collection purposes.
Further, the Bill makes consent an important factor to the proposed data protection framework. The Bill also proposes that the personal data of individuals should be accessed only on the basis of free, informed and detailed consent, with provisions that allow such consent to be withdrawn. Any processing of data without such approval would constitute a breach, which could result in penalties under Sections 11 and 57 of the Personal Data Protection Bill, 2019. Section 11 of the Bill establishes a separate category of ‘sensitive personal data’ and states that such data can only be processed with ‘explicit consent’.
There are certain grounds mentioned in Section 12 of the Bill, in which personal data can be processed without the consent. The grounds are, if personal data is required for the benefit of principal data, legal proceedings, response to medical emergencies or for the maintenance of law and order. The Bill also allows the Central Government to guide data fiduciary to include confidential personal data or non- personal data so that the Central Government can better plan the delivery of services or formulate evidence-based policies. According to the Bill, data fiduciaries must institute mechanisms for age verification and parental consent when processing sensitive personal data of children as stated under Section 16. Further, under Chapter V, the Bill gives certain rights, like the right to obtain confirmation whether data has been accessed or not, right to correct the erroneous personal data and the right to be forgotten.
“The right to be forgotten” reflects a major part of the legislation. Under Section 20, the data principal is entitled to avoid the continued disclosure of his personal data if the purpose of the data has been served, if the consent of the data principal has been removed or the data has been unlawfully released. The Bill also empowers the DPA to take measures to protect individual rights, prevent abuse of personal data and ensure compliance with the bill.
Negative Aspects of the Bill:
Although there are many strong and progressive provisions in the Bill, there are some provisions and features of the Bill which tend to raise significant concerns regarding the effectiveness of the Bill in protecting the data of citizens. They are dealt with in the subsequent paragraphs:
- Harm and Damage to Privacy:
The Bill defines ‘harm’ in a manner which appears problematic for many stakeholders. Any discriminatory treatment or denial or removal of a service, resulting from the assessment of the data principle would be protected under it, according to the concept of damage. This Bill talks about discrimination in general, which imposes severe restrictions on business activities because many businesses have to discriminate on different grounds for the smooth functioning of business. In reality, according to the Indian Constitution, only certain types of discrimination are problematic. Within the Bill, risk of harm is concern when determining what kind of protection and privacy protections should have to be implemented into the design of business policies. The focus on this controversial concept of harm should create a significant problem for various companies, as several times they have to remove specific services from customers when discriminating on the basis of data collected from them.
- Voluntary User Verification:
Another criticism that the Bill has faced, is its clause that allows the businesses to provide users with options to voluntarily check their identity. If users do not check their identities, they are going to be a candidate for government surveillance or analysis. This provision would raise the risk of data breaches and entrench control in the hands of major social media companies who can afford such verification systems to be installed and maintained. In addition, this will also increase the risk of user privacy breaches. It also ignores the aspect that, sometimes, social media anonymity brings benefits like whistleblowing and stalker protection.
- No Consent- Transfer of Non-Personal Data:
The Bill also mandates companies to share non-personal data with the Government, on the grounds of public good and planning. This will not only significant privacy concerns, but it will also have a disastrous impact on companies, as many a times, companies keep trade secrets in the form of non-personal data and on its being shared, they might suffer a setback.
The Personal Data Protection Bill is India’s move towards providing, inter-alia, data privacy for its people and avoiding misuse of their data. It places great emphasis on the individual’s consent before taking up his/her data for any purpose. It also has provisions for the establishment of an Indian Data Protection Authority to ensure proper enforcement of the proposed Bill. It is a long-awaited legislation, as India did not have a comprehensive law to protect its citizens’ data, leaving citizens unarmed while being exposed to a world full of cyber-crimes.
While impressive on certain counts, the Bill also has disappointing aspects, such as putting a strong emphasis on harm without adequately identifying it, making it mandatory for businesses to exchange non-personal data. The major weakness in the Bill, however, for which it earned flak from many lawyers, academics, and politicians, is the clauses that grant exemptions to the Government, through which they can allow any Government agency to circumvent the proposed Act. This clause raised significant and relevant questions about the Government’s intentions, with Justice BN Srikrishna, whose committee prepared the draft law in 2018, calling it an attempt to turn India into an Orwellian State.
Today the internet has become an integral part of our lives. Almost all the things that we do, whether public or private, official or unofficial, include the use of the internet. A large amount of data is transferred whilst performing these activities. In such a situation, ensuring data security is important, because a person’s data in the wrong hands, can have serious repercussions. There are cases where users’ data privacy has been violated, knowingly or unknowingly, by social media sites like Facebook and WhatsApp.
Therefore, a law that seeks to protect citizens’ privacy is quintessential. The Personal Data Protection Act is intended to meet this obligation. However, it is mired with certain shortcomings that can end up offering very little of the protection that the legislation promises. But the Bill also has scope for change, as it has been referred to a Joint Parliamentary Commission. The panel is expected to discuss the Bill’s shortcomings and to come up with a Revised Draft Bill that will provide Indian people with a promising legislation that delivers on the data privacy promise.
Authors: Kadam Nikitha from Army Institute of Law & CH Suswani from DSNLU.
Editor: Astha Garg, Junior Editor, Lexlife India.