AN ENQUIRY INTO THE PERSONAL DATA PROTECTION BILL, 2019
Author: Vaibhavi.S.U, II year of B.B.A., LL.B.(Hons.) from SASTRA University
Over the last few years, there has been a significant expansion in the amount of data that is generated through the use of different electronic gadgets and applications. The present-day organizations are benefitted to a considerable level by analysing the data of individuals. Many companies use consumer data[i] to increase their understanding of consumer demands and utilise the same to gain profits in their business. While there is no denying the business productivity involved, the million-dollar question is 'Does an individual have a command over the way in which his/her data is accessed or processed by others?'
The Latin word “Data” means ‘fact given or granted’. It was first used to mean "transmissible and storable computer information" and the expression "data processing" was first used in 1954. While Personal Data is turning out to be increasingly important, protection of the same is the need of the hour.
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology. It was introduced on December 11, 2019, and will most likely be tabled in the Parliament[ii] in the Budget Session of 2021.
WHAT’S IN THE BILL?
Personal data relates to characteristics, traits or attributes of identity that can be used to identify an individual. This bill proposes to restrict the use of personal data of the citizens without their explicit consent and lays down rules as to the processing and storage of personal data. It also lists people’s rights concerning their data.
Data Privacy issues in India have been getting more conspicuous in recent years. The beginning of the bill lies in the judgment given by a nine- Judge Bench of the Supreme Court in Puttaswamy v. Union Of India[iii] on August 24, 2017. The Supreme Court in this case discussed the issue of privacy in light of the Unique Identity Scheme and held that Right to Privacy is a Fundamental Right under Article 21 of the Constitution. After this, the Indian government set up a committee of experts on data protection to analyze the issues identifying data privacy, led by a retired Supreme Court judge, B. N. Srikrishna. The committee presented a report and a draft bill after one year. The current bill is a modified version of that draft bill.
Once this Bill becomes an Act, organizations would need to inform users regarding their data assortment practices and look for their assent. They would need to gather and store proof that such notification was given and assent was gotten. Since the bill gives users the option to pull back their assent, organizations would likewise need to develop frameworks to permit them to do so.
The Bill limits the collection of personal data only to the extent that is necessary for the processing of such personal data. The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing. The Bill also imposes obligations on all data fiduciaries to undertake few transparency and accountability measures like implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. The bill mandates the Data Fiduciary to prepare privacy by design policy and publish the same on their website. Additionally, the bill provides for the omission of Section 43A[iv] of the Information Technology Act, 2000.
The bill imposes requirements for data protection on most businesses in India. Talking about who should abide by this bill, practically all organizations in India should meet the bill's conditions. This will include not only online business, web-based media, and IT organizations, yet additionally physical shops, real estate companies, clinics and pharmaceutical companies. Small entities are exempted from this.
Data Principal is the person to whom the personal data relates. The bill confers certain rights upon the Data Principal. The data principal shall get confirmation about the processing of his/her data and shall also have the right to access in one place the identities of the data fiduciaries with whom his/her data has been shared. The Data Principal, in addition to this, has a right to correct inaccurate data, complete incomplete data, update data that is out of date and erase data that is no longer necessary.
NEGATIVE ASPECTS TO THIS BILL
The rights of the data principal and the provisions concerning the security of the personal data are pretty impressive given the fact that the data principal will be able to have control over his/her data. Even though there are numerous strong provisions in this Bill, a few provisions might raise huge concerns concerning the effectiveness of the Bill in securing the citizens’ data.
1. Exemption to the Central Government
When necessary, the Central Government in the interest of sovereignty and integrity of India, or for the security of the State, may direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of the processing of personal data. It is pertinent to note that the Central Government can even do away with the provisions relating to the requirement of prior consent to access data, in cases of National security.
These powers can go against the right to privacy as it gives the government an opportunity for mass surveillance. For instance, the government can lawfully pry on an individual if it believes that person to be a threat to the security of the state independent of whether that person is a threat or not. Legal experts have expressed their concern over possible exploitation of the Bill[v] by the Central Government for its benefits, especially for enforcing laws.
2. Increase in Compliance Costs
According to the provisions of this Bill, all internet companies should process critical data of individuals within the country. The sensitive personal data may be transferred outside India for processing only after the data principal gives his/her explicit consent. Data related to biometrics, health, sexual orientation, religious or political orientation, etc., are identified as sensitive data. Every data fiduciary and the data processor shall, concerning the processing of personal data, use methods such as de-identification and encryption, steps necessary to protect the integrity of personal data and prevent misuse or unauthorised access to personal data. They shall also review their security safeguards periodically. Individuals will reserve the option to port their information for a fee, analyse how their information has been utilized, and reserve the option to modify it.
All entities would have to implement these and also other things like data-minimization and localization. Though there are exemptions proposed for small entities, some requirements like data localization and the correction of individual data are to be complied with by all entities. As a large number of firms in India are classified as micro-enterprises, this will increase compliance costs for such enterprises. There will be an increase in compliance costs for large entities also, but the extent of the increase would be comparatively lesser than that for small entities. The bill could in this manner not just increase compliance costs over the economy without essentially securing data protection, it could also lessen the competitiveness of micro/small entities as small entities would face an increase in their expenditure to meet the prerequisites of the bill.
3. Voluntary Verification
Another drawback is that the Bill permits businesses to provide users with options to check their identities voluntarily. If they fail to do so, they might be a candidate for government surveillance. This will also increase the risk of user privacy breaches[vi] even though verification is voluntary, it paves a way by which everybody can get their account verified, which is usually connected with influencers. This could result in a large number of individuals opting for user verification. This might bring about constant following and profiling of the individuals who disagree.
Personal data may be processed without consent in certain circumstances. Consent is not necessary for the provision of any service to the data principal from the State, medical emergency to the data principal or any other individual, any measure to provide medical treatment during an epidemic or a threat to public health, any measure to ensure safety during a disaster, recruitment or termination of employment of a data principal by the data fiduciary, provision of any service and assessment of the performance of the data principal who is an employee of the data fiduciary.
The bill weakens the right to withdraw consent. It allows the data principal to withdraw his consent for the processing of personal data only if he provides a valid reason. If the data principal fails to give a valid reason, all legal consequences of such withdrawal should be borne by the data principal. This may go about as discouragement against withdrawing consent and can facilitate misuse of personal data.
PROVISIONS TO SAFEGUARD THE DATA OF CHILDREN
The bill mandates that every data fiduciary should process the personal data of a child in such a manner that protects the rights of the child and is in the best interests of the child. The data fiduciary before processing any personal data of a child should verify his age and obtain the consent of his parent or guardian.
The right to be let alone and the protection of personal data is extremely important in the present information technology age. While securing personal data, it is highly essential to guarantee that people's privileges and opportunities aren't being abused. To guarantee that personal data is secure, it's necessary to comprehend what information is being handled, why and on what grounds it's being prepared. Moreover, it's critical to recognize what safety measures are being used.
Obligations for firms that don’t deal with sensitive personal data ought to be decreased in a way equivalent to the dangers from their exercises. One such decrease might be to eliminate the condition that organizations need to manually deal with personal data to profit from the exceptions.
Administrative vulnerability must be decreased. Ambiguities in the bill should be limited to improve business sureness. At present, three significant issues in the bill could cause critical administrative vulnerability. To begin with, it does not have a clear definition of critical personal data. Secondly, it doesn't set out any criteria for affirming cross-border transfers of data. Finally, it enables the government to give direction as to the sharing of non-personal information with no restriction on the utilization of this power.
The Government’s power to absolve any government agency from the requisites of the bill ought to be balanced with proper safeguards. The government must not be enabled to determine which agencies are to be exempted and the safeguards that would apply to those agencies.
The framework proposed for securing the data of citizens must be appropriately customized for the realities of the Indian economy. It is imperative to have a logical way to deal with data protection. The bill notably strengthens the state without sufficiently securing data privacy. Devising a more specific and realistic framework can be done only through a practical evaluation of the benefits and costs of data protection for India. Though the bill claims to protect privacy of individuals relating to their data, it is not free from defects which might end up defeating the purpose of the Bill.
Max Freedman, How Businesses Are Collecting Data, Business News Daily (Jun 17, 2020), https://www.businessnewsdaily.com/10625-businesses-collecting-data.html .
Personal Data Protection Bill likely to be tabled in Parliament In Budget Session, The Hindu, (Oct. 04, 2018, 06:45 PM IST), https://www.thehindu.com/business/Industry/personal-data-protection-bill-likely-to-be-tabled-in-parliament-in-budget-session/article32765880.ece# .
Puttaswamy v. Union Of India, AIR 2017 SC 4161.
The Information Technology Act,2000, § 43A, No.21, Acts of Parliament, 2000 (India).
Regina Mihindukulasuriya, More Power & Data Access to Govt.- All About Personal Data Protection Bill, The Print ( Dec 13, 2019, 04:21 PM IST), https://theprint.in/theprint-essential/more-power-data-access-to-govt-all-about-personal-data-protection-bill/334650/.
KadamNikitha, Data Protection Bill and Right to Privacy- An Analysis, Lex Life, (Aug 25, 2020), https://lexlife.in/2020/08/25/data-protection-bill-and-right-to-privacy-an-analysis/ .
[i]Max Freedman,How Businesses Are Collecting Data, Business News Daily (Jun 17, 2020), https://www.businessnewsdaily.com/10625-businesses-collecting-data.html .
[ii]Personal Data Protection Bill likely to be tabled in Parliament In Budget Session, The Hindu, Oct. 04, 2018, 06:45 PM IST), https://www.thehindu.com/business/Industry/personal-data-protection-bill-likely-to-be-tabled-in-parliament-in-budget-session/article32765880.ece# [iii] Puttaswamy v. Union Of India, AIR 2017 SC 4161.
[iv] The Information Technology Act,2000, § 43A,No.21, Acts of Parliament,2000 (India) [v]Regina Mihindukulasuriya, More Power & Data Access to Govt.- All About Personal Data Protection Bill, The Print ( Dec 13, 2019, 04:21 PM IST), https://theprint.in/theprint-essential/more-power-data-access-to-govt-all-about-personal-data-protection-bill/334650/ .
[vi] Kadam Nikitha, Data Protection Bill and Right to Privacy- An Analysis, Lex Life, (Aug 25, 2020), https://lexlife.in/2020/08/25/data-protection-bill-and-right-to-privacy-an-analysis/