The Joint Parliamentary Committee (JPP) on the Personal Data Protection Bill of 2019 is said to have adopted the final draft. The Bill will be tabled in the Winter Session of Parliament.
What is Personal Data?
Data can be broadly classified into two types: personal and non-personal data.
Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
Non-personal data includes aggregated data through which individuals cannot be identified.
For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data.
What is Data Protection?
Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Why was a bill brought for Personal Data Protection?
In August 2017, the Supreme Court had held that Privacy is a fundamental right under Article 21 of the Constitution.
The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy.
In July 2017, a Committee of Experts, chaired by Justice BN Srikrishna, was set up to examine various issues related to data protection in India.
The committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.
How is personal data regulated currently?
Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000.
The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.
Initiatives in India:
Information Technology Act, 2000:
It provides for safeguard against certain breaches in relation to data from computer systems. It contains provisions to prevent the unauthorized use of computers, computer systems and data stored therein.
Personal Data Protection Bill 2019:
The Supreme Court maintained the right to privacy as a fundamental right in the landmark decision of K.S. Puttaswamy v. Union of India 2017 after which the Union government had appointed Justice B.N. Srikrishna Committee for proposing skeletal legislation in the discipline of data protection.
The Committee came up with its report and draft legislation in the form of the Personal Data Protection Bill, 2018.
In 2019, Parliament again revised the Bill and much deviation from the 2018 Bill was evident. The new Bill was named as Personal Data Protection Bill, 2019.
The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual.
Issues with IT Rules, 2011
The IT rules were a novel attempt at data protection at the time they were introduced but the pace of development of digital economy has shown its shortcomings.
For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract.
Further, the IT Act applies only to companies, not to the government.
What does the Personal Data Protection Bill provide?
Collection and storage: The bill regulate personal data related to individuals, and the processing, collection and storage of such data.
Data Principal: Under the bill, a data principal is an individual whose personal data is being processed.
Data fiduciary: The entity or individual who decides the means and purposes of data processing is known as data fiduciary.
Data processing: The Bill governs the processing of personal data by both government and companies incorporated in India.
Data localization: It also governs foreign companies, if they deal with personal data of individuals in India.
General consent: The Bill provides the data principal with certain rights with respect to their personal data. Any processing of personal data can be done only on the basis of consent given by data principal.
Data Protection Authority: To ensure compliance with the provisions of the Bill, and provide for further regulations with respect to processing of personal data of individuals, the Bill sets up a DPA.
Features of the draft Personal Data Protection Bill, 2019:
Personal data definition: The Bill defines ‘personal data’ as any information which renders an individual identifiable. Also, it defines data ‘processing’ as collection, manipulation, sharing or storage of data.
Territorial applicability: The Bill includes the processing of personal data by both government and private entities incorporated in India, and also the entities incorporated overseas if they systematically deal with data principals within the territory of India.
Grounds for data processing: The Bill allows data processing by fiduciaries if consent is provided by the individual.
Sensitive personal data: Sensitive personal data defined in the Bill includes passwords, financial data, biometric and genetic data, caste, religious or political beliefs. The Bill specifies more stringent grounds for the processing of sensitive personal data, such as seeking explicit consent of an individual prior to processing.
Data Protection Authority: The Bill provides for the establishment of a Data Protection Authority (DPA). The DPA is empowered to 1. Draft specific regulations for all data fiduciaries across different sectors, 2. Supervise and monitor data fiduciaries.
Cross-border storage of data: The Bill states that every fiduciary shall keep a ‘serving copy’ of all personal data in a server or data centre located in India.
Transfer of data outside the country: Personal data (except sensitive personal data which is ‘critical’) may be transferred outside India under certain circumstances.
Issues with the PDP Bill
Exemptions to the govt: Section 35 of the bill permits the Central Government to exempt any agency of the Government from the provisions of the law.
No reasonable exemptions: There is no sufficient reason for government agencies to be exempted from basic provisions of the Bill.
Easy breach: Though this would be subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government.
Executive hegemony: There is no scope for oversight over the executive’s decision to issue such an order.
Arbitrary and intrusive: As demonstrated by the Pegasus case, the current frameworks for protecting citizens from arbitrary and intrusive State action lack robustness.
Why is the state given exemption?
Biggest needy of Data: The State is one of the biggest processors of data, and has a unique ability to impact the lives of individuals.
Welfare objectives: It has a monopoly over coercive powers as well have the obligation to provide welfare and services.
Issues with Exemption to State
Grounds of expediency: the use of this provision on grounds of expediency is an extremely low bar for the Government to meet.
Non requirement for exemption order: There is no requirement for an exemption order to be proportionate to meeting a particular State function.
No oversight on executive actions: There is no scope for oversight over the executive’s decision to issue such an order or any safeguards prescribed for this process.
State surveillance: Section 36(a) of the Bill provides for an exception where personal data is being processed against criminal investigation. This provision could therefore encourage vigilantism or enable privatized surveillance.
In this digital age, data is a valuable resource that should not be left unregulated. In this context, the time is ripe for India to have a robust data protection regime.
It is time that requisite changes are made in the Personal Data Protection Bill, 2019. It needs to be reformulated to ensure that it focuses on user rights with an emphasis on user privacy. A privacy commission would have to be established to enforce these rights.
The government would also have to respect the privacy of the citizens while strengthening the right to information. Additionally, the technological leaps made in the last two to three years also need to be addressed knowing that they have the capacity of turning the law redundant.