Draft Personal Data Protection Bill 2019: Analysis
Recently, Facebook India’s policy head has appeared before the 30-member Joint Committee of Parliament which is scrutinizing the draft Personal Data Protection Bill, 2019. But Amazon has declined to appear due to risky travel during the pandemic. The draft data protection bill was submitted by Justice BN Srikrishna committee in the Ministry of Electronics and Information Technology (MeitY) to provide for a solid legal framework on data protection in India. The bill recognizes privacy as a fundamental right with provisions to protect personal data. In December 2019, Parliament approved sending it to the joint committee.
Where does it get the inspiration?
The draft bill borrows considerable provisions from General Data Protection Regulation (GDPR) of the European Union which provides for a framework on data protection.
Why is there a need for a law?
- With a billion population, India has the second-highest internet user base in the world. Therefore, a strong data protection law is needed to protect their personal data.
- Large amounts of personal data have been collected by state agencies and private companies and their flow across national boundaries has been a cause for concern.
- There are many instances that the state and private agencies who are using the personal data are not transparent on the purpose for which the data is being utilized.
- Until now, the only legal framework for the information technology in India is the Information Technology Act, 2000. However, it doesn’t provide for guidelines or norms for data collection, storage, and processing.
- The need for legislation also got attention particularly after the landmark judgement of Supreme Court (SC) in Justice K.S Puttaswamy vs Union of India case, that maintained the right to privacy as an inherent part of the fundamental right under Article 21 of the constitution.
What are its objectives?
The bill seeks to safeguard privacy by organizing the relationship between citizens and firms/state agencies based on data principals (whose data is collected) and data fiduciaries (who collects the data). It mandates the fiduciaries to seek consent for the use and processing of sensitive personal data. It also aims at balancing the growth of the digital economy and utilization of data.
What are the key features of the bill?
Rights of the individual:
- The bill provides for four rights for every citizen over his or her personal data as follows:
- Right to consent and access: by which citizen can ask fiduciaries about the purpose for which their data has been utilized.
- Right to correction: to correct any misleading or inaccurate personal data.
- Right to data portability: by which every citizen can ask fiduciary agencies to share the details of his or her personal data that has been created while using a service.
- Right to be forgotten: A citizen can prohibit a company from using the data that has been shared before.
Grounds for processing personal data:
- Personal data is defined as data related to the identity of a person. The bill allows processing of personal data if consent is obtained.
- In some cases, processing of data can be allowed without the permission of the individual on grounds such as the necessity for any function of legislatures, providing state benefits, required under the law, compliance of court judgement, the threat to public health or public order, fraud detection, debt recovery etc.
Grounds for processing sensitive personal data:
- Sensitive personal data includes any crucial information such as passwords, financial data, genetic data, biometrics, beliefs, transgender status, caste status etc.
- Grounds for processing sensitive personal data include based on consent, the necessity for any function of legislatures, necessity for providing state benefits, required under law or for the compliance of court judgement.
Grounds for processing Critical Personal Data:
- Anything that the government at any time can decide as critical like military or national security data.
- It must be stored and processed in India only.
Data Protection Authority
- The bill provides for setting up of Data Protection Authority that will have powers to take measures for protecting the interests of the citizen, prevent misuse of personal data and secure compliance with the bill.
- The authority will consist of a chairperson and six persons with expertise in data protection and information technology.
- Orders from the authority can be appealed to the Appellate Tribunal and the tribunal’s order can be appealed further to the Supreme Court.
- The authority has the power to levy penalties for various offences by the fiduciary.
Transfer of data outside India
- Personal data can be transferred outside on certain grounds such as when the central government approves transfers to a particular country and when the data protection authority approves the transfer in certain situations.
- It does away with the requirement of data mirroring (in case of personal data). Only individual consent for data transfer abroad is mandatory.
- Data mirroring is the act of copying data from one location to a storage device in real-time.
- In the earlier version, the Bill allowed the transfer of personal data outside India, with a subcategory of SPD having to be mirrored in the country (i.e. a copy will have to be kept in the country).
- Certain exemptions from compliance are provided on grounds such as state security, prevention, investigation, or prosecution of any offence, and personal, domestic and journalistic purposes.
What are the arguments against the bill?
- The government will have the power to access and process data without the consent of a person, on the grounds of weak standards such as necessity and breakdown of public order. It is prone to misuse, defeats the very purpose of the bill and fails to make the state accountable for the processing of personal data or sensitive personal data. Here is an example.
- Corporates are worried about the categorization of financial data as sensitive personal data since they are crucial for data analytics.
- The bill made it cognizable and non-bailable criminal offence in case of non-compliance with the law. This is considered by industries as an arbitrary provision.
- The bill prohibits the cross-border transfer of critical or sensitive personal data by companies. This data localisation will prevent some companies from offering their services in India. It will also increase cybersecurity risks since the cross-border flow of data is critical to the better analysis of fraud.
- There is no provision regarding the issue of surveillance.
- It is unclear about the functions of different departments of the government in the data processing and which of the functions are to be served by a processing activity.
- The bill does not explicitly deal with the data surveillance by non-state actors.
- When personal data is breached, it is not informed directly to the person. Instead to the Data Protection Authority. The Authority decides whether to inform the person or not.
- There is no strict right to be forgotten, unlike EU’s General Data Protection Regulation (GDPR). It is not compulsory for a data collector to erase data.
What are the arguments in favor of the bill?
- The bill provides individuals with greater control over their personal data and prevents misuse of the data by companies for their benefit.
- It recognises privacy as a fundamental right in line with K.S. Puttaswamy judgement of the Supreme Court which seeks to protect citizens from threats to their informational privacy.
- It will help keep the balance between the growth of the digital economy and the need to protect personal data.
- Protection of personal data will encourage the free flow of information, resulting in economic growth.
- The bill contains safeguards to prevent misuse with the explicit mention that the state can only access sensitive personal data on grounds of national security and only in a fair and reasonable manner with security safeguards such as encryption and de-identification. It will prevent cyber security and terrorism incidents since the state can find out the identity of perpetrators.
What should be done to make the law perfect?
- There are several grey areas in the draft which needs both parliamentary and public debate before it comes into fruition.
- There is also a need for industry-wide consultations before enacting the law.
- There is a need for a separate law to address the oversight in intelligence gathering, rather than dealing it within the data protection law itself.
- A separate tribunal or authority can be established to give prior authorisation for data surveillance and interception.
Even though the draft bill is ambiguous and far from being perfect, it is a step in the right direction. Once it is fine-tuned, it will be an effective law in enforcing the rights of the people over personal data.