NEED FOR DATA PROTECTION LAW

IN NEWS:

A recent report published by a German cybersecurity firm has revealed that over 120 million Indian patients' medical details have been leaked and made freely available on the Internet. This has further raised the demand for a strong data protection law.

INDIA’S VULNERABILITY:

• India emerged as the third most vulnerable country in terms of risk of cyber threats in 2017, according to a report by security solutions provider Symantec.
• As per the Global Cybersecurity Index of International Telecommunication Union (ITU), India’s rank has slipped to 47th in 2018 from 23^rd in 2017.

CHALLENGES TO INDIA’S DATA SECURITY:

• Large share of internet users & Digital illiteracy: India is home to the 2^nd largest population of internet users. By 2020, India is expected to have 730 million internet users with 75% of new users from rural areas. However, digital literacy is almost no-existent among more than 90% of India’s population.
• Obsolete systems: India is a major destination for cheap electronic imports. These systems have inadequate security features in them making them susceptible to hacking and other malware attacks.  Also, the rampant use of unlicensed software and cracked licenses increases the vulnerability to data thefts.
• Offshore servers: Most service providers in India use data servers and processing centers located beyond the geographical boundary of India. This has proved to be a major hindrance in investigating cybercrimes and ensuring that the firms abide by the Indian cyber and privacy laws.
• Import dependency: Most IT equipment and infrastructure in India are currently procured from global sources. These systems are vulnerable to inclusion of faults or backdoors in the system, insertion of hidden methods, Hardware tampering etc.
• Under reporting: As per National Crime Records Bureau, Cybercrimes accounted for less than a percentage (0.43%) or 21,796 cases of a total of 50,07,044 cognizable crimes in 2017. This indicates a severe case of under reporting of cybercrimes.
• Shortage of quality manpower: According to a recent workforce development survey, 59% of organizations have vacant cyber security positions. It also forecasts a shortfall of 1.5 million by 2020 globally.
• Limited inter-agency coordination: Cybercrimes like data theft often pans across the jurisdiction of different agencies, such as state police forces, Enforcement Directorate, departments under Home and Foreign Affairs Ministries etc. However, till recently there has been no proper mechanism to ensure the smooth coordination between these agencies in matters of data sharing, investigation etc.
• Jurisdictional Uncertainty: Cybercrimes cut across territorial borders which undermine the feasibility and legitimacy of applying domestic laws. In the absence of a single internationally recognized code of law and procedure governing cybercrimes the law enforcing authorities of individual countries find it extremely difficult to tackle cybercrimes and criminals while applying their territorial law.

EXISTING LEGISLATIONS:

I. Information Technology Act, 2000:

• It was enacted with the primary objective of regulating e-commerce in the country. However, it also includes provisions dealing with unauthorized use of internet or computers. It is often referred to as the cyber law of India.
• It contains a wide range of offences such as tempering with computer sources, sending offensive messages, violation of privacy; publishing obscene material etc., all of which are recognized as illegal activities under the Indian Penal Code.

II. Information Technology (Reasonable Security Practice and Procedures and Sensitive Personal Data or Information) Rules, 2011:

• The IT Rules have been incorporated to provide for minimum standards on collection, disclosure and transfer of personal information.
• It mandates that a body corporate shall obtain prior consent from the provider of ‘sensitive personal data or information’ for using such sensitive information. It also mandates that all body corporates need to devise a ‘privacy policy’ for dealing with personal information.

III. Sector specific laws:

• Various sectors such as financial, telecom, healthcare have their own pre-existing laws and procedures for protection and localisation of data and other information. For e.g.:
  • RBI issues guidelines, regulations, circulars and evolve voluntary norms that banks must enforce for payments data protection.
  • The Department of Telecom in consonance with the TRAI issues guidelines for protection and localisation of data collected by service providers from their customers.
  • SEBI promulgated the Data Sharing Policy in 2018, which aims at simplifying data sharing and formalisation of data protection measures to prevent data from misuse.

WHY WE NEED A SEPARATE LAW:

• To address today’s reality: Data is becoming more valuable today. Although privacy rules exist under existing legislations such as the IT Act, they have not been updated to suit the challenges of today’s connected world.
• Assure the fundamental right to Privacy:  In the Js. Puttaswamy Vs Union of India case, 2017, the Supreme court declared that Right to Privacy forms a part of the fundamental rights. Hence specific laws have become the need of the hour.
• Address cross sectoral nature of data: Data is not confined to a single sector or a geographical boundary. Hence, protection of data needs an overarching regulatory framework. The IT Act does not serve this purpose, as it was developed to primarily address e-commerce trade in India.   
• To ensure public safety and rule of law: Around the world, companies and entities are collecting people’s data on a large scale. It is important to know what data is being processed, why it is being processed and on what grounds for ensuring fair and consumer friendly commerce and provision of services.
• Enhance ease of doing business status: Recognition as a data secure country is vital for India to ensure meaningful data access in cross border supply. However, India is among the countries not considered data secure by the EU. This creates difficult and cumbersome procedures, thereby affecting the ease of doing business status of the country.
• Ensure data sovereignty: In today’s world, data is often referred to be the ‘new oil’ to indicate its current geopolitical significance. Data is an essential resource that powers the information economy in much the way that oil has fueled the industrial economy. Hence, India needs to have appreciable control over data if it is to face the challenges in the coming future.

PERSONAL DATA PROTECTION BILL, 2019: 

• In 2017, the Ministry of Electronics and Information Technology constituted a committee of experts under the chairmanship of Justice (Retd.) B. N. Srikrishna. Based on its recommendations and suggestions from other stakeholders, the Personal Data Protection Bill, 2019 was drafted.
• The Bill regulates three categories of data:
  1. Personal Data: Any information that’s collected online or offline which can be used to identify a person.
  2. Sensitive Personal Data: It includes health care data, financial data, sexual orientation, biometrics, caste, tribe, religious and political beliefs.
  3. Critical Personal Data: yet to be defined by the government
• It seeks to set up a Data Protection Authority:
  • It may take steps to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill.
  • It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. 
• Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
• Rights of the individual: The Bill sets out certain rights of the individual (or data principal)
  1. Obtain confirmation from the fiduciary on whether their personal data has been processed
  2. Seek correction of inaccurate, incomplete, or out-of-date personal data
  3. Have personal data transferred to any other data fiduciary in certain circumstances
  4. Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
• Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. The bill seeks to permit processing of data by fiduciaries only for specific, clear and lawful purpose and imposes certain transparency and accountability measures.
• Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.  These include:
  1. if required by the State for providing benefits to the individual
  2. legal proceedings
  3. to respond to a medical emergency
• Data localization and transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India.
• Exemptions: The central government can exempt any of its agencies from the provisions of the Act in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and for preventing incitement to commission of any cognizable offence relating to the above matters.  However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
• Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data for better targeting of services.
• Penalties: The bill proposes various punishments, both monetary and imprisonment, for violators.

CRITICISM:

• Exceptional power to government: The bill empowers the central government, in Section 35, to allow any government agency to bypass all privacy safeguards to access data. This creates the fear of a ‘surveillance state’.
• Dilution of recommendations: It dilutes provisions for data localization. The 2018 draft provided for storage of one serving copy of all personal data in India. The 2019 Bill only talks of "critical" and "sensitive" personal data and subjects those to a similar regulatory regime.
• Effectiveness of data localization: Many contend that physical location of data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies. Also, it does not deal with non-personal data - data which is not specific to a person such as machine generated data or auto-generated data
• Regulatory burden: The proposed law may have a considerable impact on MNCs operating in India, whether with or without a physical presence, due to its data localization requirements and cross-border data transfer restrictions.
• Effectiveness of regulator: The authority is established with broad objectives and mandates. Whether the Data protection Authority can successfully address these remains a question. Also, Section 86 (2) of the bill says DPA is bound by central government-issued directions on “questions of policy”, which questions its independence.

WAY FORWARD:

• India is expected to be one of the largest players in the cyberspace in the coming years. But for it to be safe and beneficial, India needs to ensure a proper regulatory environment that ensures privacy and fair play.
• The 2019 Bill with all its frailties is a long-awaited step in the right direction. India’s aim to enact the bill will go a long way in regulating data collection and processing by public and private entities. It will give more powers to individuals whose data is being collected and also help improve India’s status as an upholder of citizen’s rights, data security and privacy.
• However, unbridled power to the authorities must be restricted. Hopefully, the Joint Committee of the Houses to which it has been referred for wider consultation will plug the gaps and provide the country with a robust data protection law, which is the need of the hour.
• Besides the privacy law, India should also strengthen its cyber security capabilities. This should include enhancing digital literacy for the masses, developing indigenous manufacturing capability and strengthen efforts to create a dedicated cadre of data professionals.