THE PERSONAL DATA PROTECTION BILL, 2019
Recently, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha.
The need for Data Protection Bill
Protection of privacy:
- India has more than 62 crore internet users, whose personal data is shared online. With supreme Court declaring Right to Privacy a Fundamental right (K.S. Puttaswamy case) protecting individual privacy is constitutional duty of the state.
Check snooping or surveillance by various agencies:
- Recently, 121 Indian citizens’ WhatsApp accounts were hacked by an Israeli software called Pegasus. The Facebook–Cambridge Analytica data scandal of 2018 where personal data of millions of peoples’ Facebook profiles without their consent was used for political advertising purposes.
- The average cost of data breach in India is Rs 12.8 crore, with per capita cost per lost or stolen record reaching Rs 5,019 in 2018, as per a study by IBM; Moreover, data is being considered as new oil in 21st century. Without proper data regulations or data localisation norms, Global firms like Google, Face book are benefitting from data collected from Indians.
- Increasing sophistication of cyber-crimes: The root cause for 51 per cent of data breaches was malicious or criminal attacks, in India as per IBM study.
Key features of the Personal Data Protection Bill
Personal data (data that can identify an individual):
The bill talks about various types of personal data, such as:
- Sensitive personal data (related to finances, health, official identifiers, sex life, sexual orientation, bio-metric, genetics, transgender status, intersex status, caste or tribe, religious or political belief or affiliation)
- Critical personal data (military or national security data and the government can define it from time to time)
- General personal data- other than sensitive and critical personal data.
Applicability of the Data Protection Bill
- The Bill governs the processing of personal data by, Government, companies incorporated in India and foreign companies dealing with personal data of individuals in India.
- Obligations of data fiduciary (an entity or individual who collects and decides the means and purpose of processing personal data):
- Personal data can be processed only for specific, clear and lawful purpose.
- All data fiduciaries must undertake certain transparency and accountability measures such as:
- implementing security safeguards (such as data encryption and preventing misuse of data)
- instituting grievance redressal mechanisms to address complaints of individuals.
- Rights of the data principal (the individual whose data is being collected and processed): These include the right to:
- obtain confirmation from the fiduciary on whether their personal data has been processed
- restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn. It also includes the right to be forgotten which will allow users to erase their personal data published online and give them the freedom to ask entities such as Facebook and Twitter to delete any data they do not want in the public domain.
- Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include:
- if required by the State for providing benefits to the individual
- legal proceedings
- to respond to a medical emergency
Social media intermediaries:
- Platforms with larger number of users and having potential to impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India. According to official sources, while the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”.
Data Protection Authority:
- The Bill sets up a Data Protection Authority which may, take steps to protect interests of individuals, prevent misuse of personal data, ensure compliance with the Bill.
Transfer of data outside India:
- Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Critical personal data can only be processed in India. Personal data other than sensitive and critical personal data don’t have such localisation mandates.
- The central government can exempt any of its agencies from the provisions of the Act, in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, for preventing incitement to commission of any cognizable offence (i.e. arrest without warrant) relating to the above matters.
- Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as, prevention, investigation, or prosecution of any offence, personal, domestic, journalistic purposes
- Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any, non-personal data, anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
Criticisms of the bill
- There are significant departures in the current bill from the draft Bill prepared by the Justice B N Srikrishna committee in 2018.
- Data Protection Authority’s composition is dominated by the government, as contrasted with the diverse and independent composition as suggested in the committee’s draft.
- There is a blanket power of exemption from all provisions of the law (including access to personal data without consent, citing national security, investigation and prosecution of any offence, public order) in favour of a government agency. This could amount to surveillance.
- A report from the IT Ministry’s Artificial Intelligence (AI) Committee contradicts foundational aspects of the Bill, as it suggests:
- India should maintain free flow of data stating that India has been one of the biggest beneficiaries of the global data flows. Limitations on the free and open flow of data can seriously hinder the ability of economy to remain competitive.
- Focus should be placed on implementation and enforcement instead of over-regulation. Sectoral entities are more appropriate regulators than an overarching authority.
- Legislation alone is not enough unless supported by an adequate implementation ecosystem including an effective grievance redressal system and user awareness.
- E.g. security and government access are not achieved by mere localisation, as the encryption keys may still be out of reach of national agencies.
Considering the data privacy as the fundamental right of a citizen and economic downturns of the potential breaches in data, government need to reconsider all the above pending issues. A robust Personal data protection law is the need of the hour. Due importance needs to be given on public awareness, better implementation and regulation and efficient grievance redressal as well.