“Never in the field of Data Protection, has so little been done by so many for something so important” was quoted by Winston Churchill. When Indian consumers utilize internet services and social media apps, they gladly submit their personal details to service providers in exchange for the free use of their services. These details are usually stored on servers outside India’s boundaries. This is the issue that primarily raises data privacy concerns. Before beginning with the intricacies of the recently launched data protection bill, I would like to define personal data. It is the data that relates to characteristics, traits, or attributes of identity, which shall be used to identify an individual.
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by Electronics and Information Technology minister, Mr. Ravi Shankar Prasad on 11th December 2019. The bill seeks to protect the personal data of individuals and establish a Data Protection Authority for the same. The bill governs the processing of such data by (i) the government (ii) companies incorporated in India (iii) foreign companies dealing with personal data of individuals in India. The term ‘processing’ means any operation (whether automated or not) performed on such data which includes collecting, recording, organizing, structuring, storing, modifying, using, publishing, erasing, destroying data, etc. The bill also categorizes certain personal data as sensitive personal data, which includes financial data, biometric data, caste, religious or political beliefs, or any other category as may be specified by the government.
The bill sets out an entity known as Data Fiduciary which decides the means and purposes of processing personal data. Personal data can be processed only for a certain specific, clear, and lawful purpose. While the Fiduciary controls the method and purpose, the data may actually be processed by some third party, known as the Data Processor. The bill also provides certain rights to individuals: (i) Obtain confirmation from the fiduciary whether their data has been processed (Right to consent and access) (ii) seek correction of inaccurate, incomplete or out-of-date personal data (Right to correction) (iii) have their personal data transferred to any other data fiduciary in certain circumstances (right to data portability) (iv) restrict the availability of the personal data where either it is not necessary anymore or consent is withdrawn (Right to be forgotten).
Data fiduciary is additionally responsible for ensuring safeguards like data encryption and misuse prevention and incorporating a grievance redressal mechanism to address the complaints of individuals. They are also required to verify the age and obtain parental consent in case of processing of sensitive personal data of children. Every data fiduciary has to give to the data principal (the person to whom the data relates) notice at the time of collection of data, containing purposes for processing, nature of data being collected, source of collection, etc.
The data can be processed only when the fiduciaries obtain the consent of the individuals. However, exceptions to this rule are: if required by the state for providing benefit to the individual, legal proceedings, or in case of a medical emergency. The bill also paves the way for the establishment of a Data Protection Authority. It has to ensure that the interest of the public prevails, and there is due compliance with the bill by avoiding any misuse of personal data by the data fiduciary and data processors. It consists of a chairperson and six members, with at least 10 years of expertise in the field of data protection and IT. Orders of such authority can be appealed to the Appellate Tribunal.
Sensitive personal data may be processed outside India if expressly consented to by the data principal. However, the data shall continue to be stored in India. Critical personal data is the data that is allowed to be processed only in India, as may be notified by the government. The bill also states that the government can ask companies to share anonymized or non-personal data, for the purpose of policymaking. Such data is used to derive insights regarding trends. For example, data regarding the number of people opting for cabs may give a fair insight regarding the health of the automobile sector, in terms of consumption.
The bill also mentions penalty in case of processing in violation of the bill, which is a fine of Rs 15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher. In case of failure to conduct a data audit, a fine of Rs. 5 crores or 2% of the annual turnover of the fiduciary, whichever is higher.
While, the private organizations have to restructure their entire engineering design, as privacy need to be at the center of purpose. They need to be stricter in terms of compliance with laws relating to de-identification (preventing revelation of an individual’s identity) and encryption. Large organizations and social media companies have to organize periodic security audits and appoint a data protection officer. This poses a huge challenge for companies in terms of rising costs. For instance, Microsoft spent hundreds of millions of dollars and employed more than 300 engineers to comply with the European GDPR.
However, one major criticism of the bill is relating to section 35, which confers power on the government to exclude any government agency from complying to this bill if it is in the sovereignty and integrity, the security of the State and friendly relations with foreign states or public order, or for preventing any cognizable offense in respect of the same. The only requirement is a written order from the Central government specifying the reasons for the data breach.
Many cyber law experts say Section 35 completely defeats the purpose of the bill. It puts immense power in the hands of the Central Government, leaving no checks and balances, and thus, fundamentally hurting the premise of data protection. According to Mr. Srikrishna, who led the committee which drafted the 2018 Data Protection Bill, this bill will turn India into an Orwellian state, which means destruct the welfare of a free and open society. Private corporations do make money by using personal data for manipulating behavior, but when such data gets in the hands of such high authority like the government, the matter becomes much more dangerous.
However, the Data Protection Bill is not yet final. It has just been referred to a joint select committee of Lok Sabha and Rajya Sabha. They are expected to submit their report before the end of the budget session. If the government genuinely wants to serve the privacy concerns of the citizens, it needs to focus on the shortcomings of the bill. In order to empower individuals, they need to reduce some amount of their control.