PERSONAL DATA PROTECTION BILL, 2019

WHY IN NEWS:

• The Indian government banned Chinese-owned TikTok, along with dozens of other mobile apps, over alleged data and privacy issues

SALIENT FEATURES:

• Applicability:
  • The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
  • Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
• Obligations of data fiduciary:
  • A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
  • Such processing will be subject to certain purpose, collection and storage limitations.
  • Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals.
  • They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
• Rights of the individual: The Bill sets out certain rights of the individual. These include:
  • Right to obtain confirmation from the fiduciary on whether their personal data has been processed.
  • Right to seek correction of inaccurate, incomplete, or out-of-date personal data

• • Right to have personal data transferred to any other data fiduciary in certain circumstances
  • Right to restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
• Grounds for processing personal data:
  • The Bill allows processing of data by fiduciaries only if consent is provided by the individual.
  • However in certain circumstances, personal data can be processed without consent. These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
• Social media intermediaries:
  • The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information.
  • All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
• Data Protection Authority:
  • The Bill sets up a Data Protection Authority which may:
    • (i) Take steps to protect interests of individuals
    • (ii) Prevent misuse of personal data
    • (iii) Ensure compliance with the Bill.
  • It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.
  • Orders of the Authority can be appealed to an Appellate Tribunal.  Appeals from the Tribunal will go to the Supreme Court.
• Transfer of data outside India:
  • Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions.
  • However, such sensitive personal data should continue to be stored in India.
  • Certain personal data notified as ‘critical personal data’ by the government can only be processed in India.
• Exemptions:
  • The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters.
  • Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes.
  • However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
• Sharing of non-personal data with government:
  • The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
• Amendments to other laws:
  • The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

EVOLUTION OF THE BILL:

• In August 2017, the Supreme Court held that privacy is a fundamental right (Puttaswamy judgement), flowing from the right to life and personal liberty under Article 21 of the Constitution.  The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy
• In 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India.
• The Committee submitted its report, along with a Draft Personal Data Protection Bill
• Currently, the usage and transfer of personal data of citizens is regulated by IT Act, 2000.

NEED FOR THE BILL

• A source of making profit:
  • The processing of personal data (based on one's online habits and preferences, but without prior knowledge of the data subject) has become an important source of profits for big corporations.
• Targeted advertising:
  • Companies, governments, and political parties find personal data valuable because they can use it to find the most convincing ways to advertise online.
• Privacy breach:
  • Processing of personal data has become a potential avenue for invasion of privacy
• National security:
  • Over 3.94 lakh cyber-security incidents were reported in 2019, according to Computer Emergency Response Team-India (CERT-In).
  • Much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data.
  • Data localisation arguments are premised on the idea that a country has the sovereignty to control the data flows of its citizens.
• Assisting law enforcement agencies:
  • Data localisation can help law-enforcement agencies access data for investigations and enforcement. Instances of cyber-attacks can be addressed in more effective manner if a strong legal framework is in place.
• Increasing spread of fake news:
  • Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
• Taxing tech giants
  • Strong data protection legislation will also help to enforce data sovereignty and helps in increase the ability of the Indian government to tax Internet giants.

ISSUES/CONERNS

• Surveillance fears:
  • The Bill provide very wide exemption to government agencies for surveillance activities that require access to and processing of personal data
  • The Bill dilutes individuals’ control over their data by allowing the government to exempt any of its agencies from any or all the provisions of the Bill
  • As per the Bill, the government can ask any company to give it anonymised personal or non-personal data for policy formation and better delivery of services.
  • ‘National security’ or ‘reasonable purposes’ are an open-ended terms, this may lead to intrusion of state into the private lives of citizens.
• Not in line with SC directives:
  • Bill does not stick to the Supreme Court ruling on the right to privacy in the Puttaswamy judgement which mandates government and authority to declare specific objectives for gathering or collecting personal data.
• No judicial member in the DPA:
  • The Data Protection Authority (DPA) team majorly comprises secretaries from the Cabinet, Department of Legal Affairs and the MeitY.
  • This raises a major concern about the DPA being independent of the government.
• Impact on Companies:
  • The Bill will bring up a level of legal compliance which did not exist earlier for the companies. They will have to revamp their data handling practices. Hence increases their cost of operation. This could prove to be detrimental to India’s vision of improving the ease of doing business
• Restriction on cross-border data:
  • The Bill puts restrictions on the transfer of sensitive and critical personal data, not all personal data.
  • Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies

SUGGESTIONS:

• Adopt best practices in EU’s GDPR:
  • General Data Protection Regulation (GDPR) is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states
  • The GDPR also regulates the exportation of personal data outside the EU.
• No data should be collected until it was authorised by law:
  • As the Justice Srikrishna-led panel recommended no data should be collected by the government until it was authorised by law.
• Assisting smaller tech firms:
  • Government should assist smaller firms, financially and technically, to comply with the data protection framework.
• Need for Constitutional Amendment:
  • There is need for a constitutional amendment whereby right to privacy can be guaranteed expressly by insertion of a new provision
• Need for a comprehensive policy:
  • India needs a comprehensive policy guaranteeing individuals the right to control the collection and distribution of their personal information
• Freedom of speech and expression over internet ought to be maintained
  • Development of sophisticated technological and legal solutions shall pave way for securing online privacy and data.
  • Reasonable restrictions should remain reasonable on the anvil of law and should not fetter growth of internet and communications.
  • Internet censorship should only be invoked in the cases of dire necessity on justifiable grounds such as preserving national sovereignty, public order and safety
• Educating people:
  • No regulatory mechanism of the state would be adequate to protect the right to privacy of the individuals. Hence, the individuals are required to take certain precautions:

CONCLUSION:

• We need proper rules, regulations and more large-scale reforms to ensure that citizens are not targeted and that privacy is not infringed on in an unconstitutional manner. The government must come up with a comprehensive set of laws which take into account the interest of Indian startups as well as the Indian tech industry

PRACTICE QUESTION:

Q. How would cross-border data flows affect national security of India?