Data Protection refers to the procedures and policies inviting to minimize the intrusion of privacy of an individual by collecting and using the data. In December 2019, a bill named as Personal Data Protection Bill was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad. A decade agoin India, the Information Technology Act, 2000 was passed by the government to protect the information of individuals. However, the new bill has enacted a separate law for the personal data, in the hopes that India will face a significant positive change.
The Personal Data Protection Bill, 2019 refers to the fundamental right of “Right to Privacy” by the honourable Supreme Court of India, in the famous case of Puttaswamy VS Union of India.
The Government of India has now realized the need for an act which will solely look into the matters related to the right of privacy and to protect the data of an individual. The Bill has been passed in the Lok Sabha and has now been passedto the Standing committee.
In recent years, India haspassed through several technological developments which have led to the huge amount of data generation through various activities and the need to protect this data has also increased. Many companies rely on this data to make important decisions in a firm. Even the government for its state affairs and benefits depends upon the large scale collection and usage of this data. One such example of this is the biometric identification and Aadhar verification by the government.
A petition in Supreme Court of India was filed in the year 2012 challenging the constitutional validity of Aadhar on the grounds of that it violates the individual’s right to privacy. After this in August 2017, a Supreme Court bench consisting of 9 judges declared the right to privacy as a fundamental right of Indian citizens. The court alsostated that the right to privacy is protected by the right to life and personal liberty under Article 21 of the constitution. The court also observed that privacy of personal data and information or “informational privacy” is also a characteristic of right to privacy.
Other countries formulated regulatory bodies and frameworks a while agoto protect an individual’s personal data. Taking cognizance of this, in July 2017, a committee of experts was formulated under the chairmanship of Justice B.N. Srikrishna to:
- Research issues related to the protection of data
- Find solutions through which an individual’s data could be protected
- Suggest a Bill for the same so that it can be enacted in legislation
Finally, on July 27, 2018, the Bill was presented to the Ministry of Electronics and Information Technology which asked for the protection of an individual’s personal data in a manner through which data would be protected and the regulatory bodies set up could oversee the data processing method.
Protection of Data through the Bill
The data protection Bill imposes few obligations on the entities which have the right to control the data, and these entities are known as “Data Fiduciaries”. These fiduciaries can determine the purpose and means of its processing, and it includes both government as well as private entities. The person whose data is referred or processed is known as “Data principal”. If these compliance obligations are not been followed, then the burden is shifted to the data fiduciary.
The obligation mainly includes:
- It has now become essential to let the data principal know before collecting their data.
- To make sure that the data which is stored is accurate and correct.
- The data shouldbe stored and processed only for specific reasons.
- A valid consent has to be taken from the data principal before processing the data. If the purpose is to transfer the data to any third party, then the consent required under such circumstance is relatively of a higher degree.
- Under this Bill, one of the major obligations is to provide the data principal with certain rights. He/she should have the right to erase, protect, access, correct, and prevent disclosure of the data.
The obligations are structured in such a way that it secures the position of the data principal and also gives them ownership.
The Regulatory body/Adjudicatory body is called the “Data Protection Authority” which will check and imposepenalties for non-compliance of the above-mentioned obligations. It is considered as an overlooking authority which will look into all the matters related to the Bill.
Exemptions under the Bill
Though the Bill is enacted for the majority of the firms of India, it still has certain exemptions:
- Manual processing done by the small entities is not mandatory as they don’t have the sources to implement such commitments.
- The entities which process data for BPO industry, research industries, and for statistical purposes are also excluded whether it is a public or private company.
- The entities which work in relation to legal proceedings, journalist purposes, national security, prevention, detection, investigation and prosecution of contraventions to law, or for personal and domestic purposes are also exempted from the obligations of data fiduciaries.
Apart from the above exemptions, there is a specific exemption which only applies to the Government. The Central Government can exempt any of its agency from all the provisions of the Bill and such agency which can also be referred as data fiduciary will be able to process all the data of the data principals ( without informing them ). The list of such exempted agencies can also be formatted from time to time, which means such agencies can be added or subtracted on a timely basis.
The vested interest of the Government
Data protection authority has been formed to look after all the matters related to the data processing methods of the data fiduciaries. These data fiduciaries are obligated to work under the procedure laid down by the Bill and therefore, a regulatory body has been formed to keep a regular check. If the regulatory body is not formulated, then the obligations imposed on the data fiduciaries is meaningless as there would be no procedure through which this data fiduciaries could be held responsible.
Data Protection Authority will look after matters such as:-
- how the consent is taken from the data principal,
- the method through which data is processed,
- deletion of the data, the safeguards used to protect the right of the data,
- form of manner and maintaining records, etc.
But a “Memorandum” attached to the Bill, clearly states that making of any regulations by the Data Protection Authority may make such regulations only with the due consideration of the Central Government. The regulatory body has to be formed by the Central Government.
This control of the Data Protection Authority by the government is a clear picture of the vested interest of the government in the powers to make rules and regulations for the data fiduciaries. The government will act as a data fiduciary and on the other hand, it will also be involved in controlling the obligations of data fiduciaries. Therefore, this role of government where it plays both the victim and the attacker is highly questionable and will require certain amendments or removal of such memorandum.
New terms enacted in the Bill
With the formulation of a new Bill, the Government of India has also enacted certain new terms in the Bill. Those terms are:
However, the creation of a sandbox is slightly questionable as these fiduciaries would be allowed to access the personal information of an individual without any obligation, thus violating the fundamental right of Indian citizens that is “right to privacy”.
- Non-Personal Data
It was highly recommended that the Bill should be only limited to the personal data of an individual which reveals personal information. In fact, the Bill which was drafted in 2018 by the Srikrishna committeeclearly stated that the Bill is applicable only to the Personal and not the anonymized data.Quashing this, the new Bill proposed in Lok Sabha takes in consideration the non-personal or anonymised data too leading to better formulating of evidence-based policy by the Central Government.
This consideration is questionable as non-personal data of an individual has no direct connection with the right to privacy. Further, most of the companies which are data fiduciaries legally have the right to process the non-personal data which they have generated through the databases.
- Social Media Role
The Bill introduced a new concept known as Social Media Intermediary and empowers the government to make some social media intermediaries as the “significant data fiduciaries”. These fiduciaries will have to follow all the norms and regulations laid down by the Data Protection Authority once the Bill is enacted.
These social media intermediaries will then be verified by the Data Protection Authorityand will show a verification mark. The documents required to get the verification mark will further depend on the type of social media intermediary, thus leading to biases and partiality.
In the proposed Bill, there has not been any timeframe given within which the Data Protection Authority will be formed which will regulate the working of the data fiduciaries. On the other hand, as soon as the Bill becomes an act, the government will be allowed to access the data without any obligations due tothe exemption policy mentioned in the Bill.
The Personal Data Protection Bill, 2019 has been proposed in Lok Sabha and is yet to be passed by the Rajya Sabha. The Bill will work in favour to protect the individual's data, thus protecting the right to privacy and other fundamental rights of the Indian citizens. Once the Bill is passed in the Rajya Sabha itwill formulate to become an act. The Bill will be helpful to access the data legally with obligations.