HOW DATA PROTECTION BILL IS ANTICIPATED TO IMPACT THE WAY PEOPLE THINK ABOUT AND PRACTICE PRIVACY?
Author: Harshita Tholiya, II year of B.A.,LL.B.(Hons.) from University Five Year Law College, University Of Rajasthan, Jaipur
If you want to question the government or get some information from them. You can take advantage of RTI Act, 2005. If a person wants to prevent superfluous intervention, he can utilise his right to privacy, which he has against the government, journalists, and even neighbours. A UN report on the road map for digital cooperation 2020 presented that more than 7000 data breaches were recorded in 2019 exposing more than 15 billion records. The potential cost of worldwide data breaches will be more than 5 trillion by 2024.1
“Data is the oil of the 21st century.”
With the widespread use of computers and the internet on a global scale. Data is collected, and surfing patterns and online behaviour of users are tracked in order to serve adverts to targeted people in order for businesses to profit. A lot of data is saved online without the user's agreement, and the corporation bears no duty or liability for the data leakage.
Individuals' data privacy must be protected, which necessitates legislation that lays out procedures for handling data appropriately. Procedures for using, collecting, storing, and sharing personal data must be clearly mentioned. Furthermore, the legislation must recognize the right to reasonable control over personal data. And strict adherence to such laws must be ensured.
What Is Data Privacy?
Data privacy refers to the proper treatment of data in accordance with established rules, such as the General Data Protection Regulation (GDPR) drafted by the European Union in 2018 or the GDPR-compliant laws enacted by the country. Data privacy concerns the collection, storage, management, and sharing of data, as well as compliance with current privacy regulations.2
Data Protection In India History
The (Indian) Information Technology Act, 2000 addresses concerns such as civil compensation and criminal penalties for improper disclosure and misuse of personal data, as well as breaches of contractual agreements relating to personal data.
A body corporate that is in possession, dealing, or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practises, resulting in wrongful loss or wrongful gain to any person, may be held liable to pay damages to the person so affected under section 43A of the (Indian) Information Technology Act, 2000. The 2011 Rules on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information). Only "Sensitive personal data" is protected under the Rules.3
Recently, the Parliamentary panel also known as Joint Parliamentary Committee headed by BJP MP PP Chaudhary adopted the final draft of the Data Protection Bill which was originally drafted in 2018 by Justice B.N. Srikrishna and consists of 98 clauses.4
Data Principal: The person whose data is being talked about i.e. stored, collected or processed is called data principal.
Data Fiduciary: Data fiduciary refers to the entity or person who decides on the means and purposes of data processing.
Data processing: The Bill regulates how the government and corporations established in India process personal data.
Data localization: It applies to foreign companies dealing with the personal data of Indian citizens. It means storing sensitive data in India only.
General consent: The bill gives the data subject significant rights over their personal information. Any processing of personal data can only take place with the consent of the data subject.
Data Protection Authority: The Bill establishes a DPA to ensure compliance with Bill's requirements and to provide for additional restrictions regarding the handling of personal data of individuals.5
The bill specifies the following types of data
The data is a valuable asset to the nation. And if it is categorised properly and protected accordingly could reduce the risk of data breaches, cyber-attacks, fake news and could even polish up the tax regime.
1. Personal data
It refers to information such as a person's name, address, and other identifying characteristics that can be stored and processed in or outside of India.
2. Sensitive Personal Data
This is the individual's sensitive data, such as gender, health, financial status, caste, and so on. In India, this data could be stored and processed. To process data outside of the nation, the Data Protection Authority must provide permission.
3. Critical Personal Data
This category deals with sensitive information pertaining to the military, defence, and national security. This information is exclusively saved and processed in India.
4. Non-Personal Data
This is information that is not personally identifiable. For instance, traffic patterns, demography, and so forth. It is collected by the government for the benefit of people which includes schemes and subsidies. And the government is not required to take any consent of people to collect data from the fiduciary.6
Provisions Of Data Protection Bill, 2019
If data falls into the wrong hands, it may be used to disseminate fake news, hate speech, and even influence elections. Prior to this statute, data security has not kept pace with advancements in hacking and espionage. To resolve these issues, the Data Protection Bill, 2019 was drafted.
Its goal is to protect people's privacy when it comes to their personal information i.e. giving access to their Right to Privacy which was established explicitly in K.S. Puttaswamy v.s. Union Of India7 is also known as Aadhaar Act. In this case, National Identity was accused of infringing on a person's right to privacy. In the case of M.P. Sharma v. Satish Chandra8, the Advocate General of India endorsed the Indian government's contention that Indian people do not enjoy such rights guaranteed in the Indian Constitution. A nine-judge panel unanimously declared in August 2017 that Indians have a right to privacy. There is also no requirement for a separate declaration. This right is adequately protected by Articles 14, 19, and 21.
Nine principles of data privacy include consent, notice, correction, purpose, removal of data etc. This bill also aims to define the flow and use of personal data, as well as to establish a bond of trust between entities and individuals processing personal data. Individuals whose personal data is processed will also have their rights protected under the bill. It will also establish a framework for data processing organisational and technical measures.
It will lay down norms for
1. Social media intermediary: To prevent anonymity, social media intermediaries such as telecom, network, internet, and site hosting service providers are required to conduct thorough verification. To assure the operability of its Indian branches, the parent business must open an office in India. Data stored and collected must be justified and commensurate to the purpose for which it is taken.9
2. Accountability of entities processing personal data: The main goal is purpose limitation and collection limitation, i.e. storing and processing personal data for only justifiable or legal purposes with the user's knowledge and consent.
But in cases of
ii)legal proceedings i.e. investigation, detection and prevention of offences for the violence of laws.
iii)Government providing services or benefits to the individual, the consent is not required.10
3. Data transfer across borders: Personal data can be saved and processed everywhere, however sensitive personal data can only be stored and processed with the consent of the Data Protection Authority.
4. Remedies for unauthorised and harmful processing:
(i) processing or transferring personal data in violation of the Bill, which is punishable by a fine of Rs 15 crore or 4% of the fiduciary's annual turnover, whichever is higher, and
(ii) inability to conduct a data audit, which is punishable by a fine of Rs 5 crore or 2% of the fiduciary's annual turnover, whichever is higher. Without consent, re-identification and processing of de-identified personal data are punishable by up to three years in prison, a fine, or both.11
5. Establish an Indian Data Protection Authority: An Indian Data Protection Authority must be established, and each organisation must employ Data Protection Officers to ensure that the regulations are followed.
6. Right to be forgotten: This law is in congruence with the guidelines set by General Data Protection Regulations by the European Union. It limits the further disclosure of their personal information by fiduciary if it does not serve any purpose or the consent is revoked.
What are the concerns regarding this bill?
Exemptions: Clause 35 of the proposed data protection bill, which has sparked controversy, allows the government and its agencies to get blanket exemptions from all of the bill's provisions, with no checks and balances in place. The Aadhaar Authority, UIDAI, and the Income Tax Department already have exemptions from the bill. Proper judicial oversight must be done and a more detailed prescription for agencies that can access data and when.
The hegemony of the executive branch: The executive's decision to issue such an order is not subject to oversight.
Unprecedented and intrusive: The current rules for protecting civilians from arbitrary and intrusive government surveillance, as revealed by the Pegasus case, are ineffective. The action was taken by the government.12
Question Of Reasonability: Government can use data for reasonable causes but this reasonability is arbitrary and not clearly mentioned.
Encryption Of Data: The level of data encryption determines the vulnerability to cyber-attacks. However, there are no specific provisions in this bill that address it.
Protective Policy: If data is exclusively saved in India, MNCs with servers in other countries that keep their users' data may experience challenges, which could stymie economic policy.
Start-ups: Due to the limits established to protect data, Indian startups operating abroad may risk reprisal. It will make conducting business more challenging.
Lack of User Awareness: Users are unaware of technical concepts such as cookies, required permissions, and the ramifications of granting such permissions.
Data Localisation: Any other state, or any other anti-social institution, could be able to monitor user data.13
Best practises are used all throughout the world
The General Data Protection Regulation (GDPR) in Europe is often regarded as the apex of data protection regulation worldwide. A separate statute dealing with the processing of personal data by law enforcement agencies is in existence under EU law. Part 3 of the UK's Data Protection Act liberalises certain requirements while simultaneously guaranteeing that data protection rights are protected.14
A Way forward
It's strenuous to strike a balance between privacy concerns and public demands (such as national security). This should go through extensive consultations in Parliament, with all interests represented. One can only hope that once considered in Parliament, sufficient time and attention is given to establishing a better balance between opposing interests.
The need of the hour is to establish clear and comprehensive laws and ensure their implementation at the earliest. Meanwhile, other companies must take proactive steps to protect the privacy of the users. And more awareness and empowerment should be given to consumers.15
2) https://www.cigionline.org/articles/peril-and-potential-gdpr/?utm_source=google_ads&utm_medium=grant &gclid=CjwKCAiA8bqOBhANEiwA-sIlNxyXVMM-CwRMgd1T9IXjiI-RkeZ0er3wOz8rj7X-7kf1V2qJr 4FjKxoCdw4QAvD_BwE
Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017) 10 SCC 1, AIR 2017 SC 4161
M.P. Sharma vs. Satish Chandra, District Magistrate, Delhi ((1954) SCR 1077)
15) https://www.legaleraonline.com/data-protection/data-protection-and-competition-law-development s-and-the-way-forward-773015?infinitescroll=1