Personal Data Protection Bill 2019 and issues with it GS: 2 "EMPOWER IAS"

 

In news:

• The Personal Data Protection Bill (2019) has several provisions which could have implications for the privacy of an individual. The article examines such provisions and highlights the need for further debate on the Bill.

 

Evolution of privacy as a fundamental right

• The Supreme Court in MP Sharma v. Satish Chandra (1954) and Kharak Singh v. Uttar Pradesh (1962) had declared that while in certain circumstances the privacy of individuals was to be protected, there was no constitutional right to privacy in and of itself.
• However, in Puttuswamy v India (2017) the Supreme Court accepted privacy as a fundamental right.
• This was an important development.

 

Significance of Data

• Data is the large collection of information that is stored in a computer or on a network.
• Data is collected and handled by entities called data fiduciaries.
• While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
   
• This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.
• The processing of this data (based on one's online habits and preferences, but without prior knowledge of the data subject) has become an important source of profits for big corporations.
   
• Targeted advertising: Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
• Apart from it, this has become a potential avenue for invasion of privacy, as it can reveal extremely personal aspects.
• Also, it is now clear that much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data.
• The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows. Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.

 

 

Conditions for access to data and issues

• The bill establishes a number of conditions for companies to follow.
• For one, it would require digital firms to obtain permission from users before collecting their data.
• It also declares that users who provide data are, in effect, the owners of their own data.
• So that the users will be able to control the data their online selves produce, and may request firms to delete it, just as European internet-users’ “right to be forgotten”.
• But the bill stipulates that critical or sensitive personal data, related to information such as religion, or to matters of national security, must be accessible to the government if needed to protect national interest.
• Critics have suggested that such open-ended access could lead to misuse.
• Even B N Srikrishna, who chaired the committee that drafted the original bill has also expressed concerns about this provision.
• Other major concern is about Data Protection Authority (DPA).

 

 

The Personal Data Protection Bill, 2019

• The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same. 
• Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.  The Bill categorises certain personal data as sensitive personal data.  This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
• Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations.  For instance, personal data can be processed only for specific, clear and lawful purpose.  Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals.  They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
• Rights of the individual: The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
• Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.  These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
• Social media intermediaries: The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
• Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.  Orders of the Authority can be appealed to an Appellate Tribunal.  Appeals from the Tribunal will go to the Supreme Court.
• Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India.  Certain personal data notified as critical personal data by the government can only be processed in India. 
• Exemptions: The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes.  However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
• Offences: Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.  Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
• Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
• Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

 

Advantage

• Data localisation can help law-enforcement agencies access data for investigations and enforcement.

 

• As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
• Accessing data through this route is a cumbersome process.

• Instances of cyber attacks and surveillance will be checked.
  • Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
• Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
• Data localisation will also increase the ability of the Indian government to tax Internet giants.
• A strong data protection legislation will also help to enforce data sovereignty.

 

Disadvantages

• Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
• National security or reasonable purposes are an open-ended terms, this may lead to intrusion of state into the private lives of citizens.
• Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation).
• They fear that the domino effect of protectionist policy will lead to other countries following suit.
• Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
• Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.