The Personal Data Protection Bill 2019: Is it strong enough?

Author : Isha Anand of Central University of South Bihar, Gaya

Data is generated virtually by everything we do. This data is immensely valuable. Indeed, in this age of free access to the internet, internet data is like a new currency. Data is generated virtually by everything we do. This data is immensely valuable. Indeed, in this age of free access to the internet, internet data is like a new currency. As technology developed, new application emerges that reinforces the worth of the data. Many questions arise: Who does this data belong? Who can access it? What are the bounds of privacy? Does national security prevail over all concerns of privacy?[1]

On 24th August 2017, the Supreme Court of India held that the Right to privacy is a fundamental right guaranteed by Part III of the Constitution of India in Puttaswamy’s case^[2]. This decision had far-reaching ramifications on the laws.

The Government then appointed an expert committee under the chairmanship of Justice BN Srikrishna, (former Judge of the Supreme Court of India), to suggest a draft data protection bill.

And now the Government has come up with the Personal Data Protection Bill, 2019 which has already been approved by the Cabinet in December, 2019 and now likely to be tabled in next year’s budget session.[3].

About the Bill

The Bill has extraterritorial jurisdiction and applies to both private and public companies.

The Bill has defined “Data” under Section 3 (11) as:

“Data includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.”[4]

Data is divided into many categories, some of the important categories are:

Section 3 (28) “Personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for profiling.”[5]

Section 3 (36) “Sensitive personal data means such personal data, which may, reveal, be related to, or constitute— (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation.”[6]

Some important aspects of the Bill are as follows:

1. Applicability: The Bill provides for the processing of personal data by: 

The Government, 

The companies incorporated in India, and 

The foreign companies handling personal data of people in India.

2. Obligations of data fiduciary: Section 3 (13) defines “data fiduciary” as:

“Data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data.”[7]

Such processing is going to be subject to particular purpose, collection and storage limitations.  For example, they can process personal data only for specific and lawful purpose.  The data fiduciaries have to take some transparency and accountability measures such as:

Implement security safeguards, and

Institute grievance redressal mechanisms to deal with the complaints of people. 

They need to also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.

3. Sharing of non-personal data with Government: The Central Government may direct data fiduciaries to provide any non-personal data and anonymous personal data (where it is not possible to identify data principal).

4. Rights of the individual: The Bill provides certain rights to the data principal. These include:

Right to confirmation and access.

Right to correction and erasure.

Right to data portability.

Right to be forgotten (personal data).

5. Processing personal data by data fiduciaries: According to the Bill, fiduciaries can process the data only if consent is given by the individual. However, they can process few data without any consent, if required by the State for providing benefits to the individual, legal proceedings or to respond to a medical emergency.

6. Data Protection Authority: There will be a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. The Data protection authority will consist of a chairperson and six members, with at least ten years of experience in the field of data protection and information technology. One can appeal the order of the authority to an Appellate Tribunal. One can further appeal to the Supreme Court, if not satisfied with the Supreme Court.

7. Transfer of data outside India: If an individual explicitly gives consent, then the Government may transfer sensitive personal data outside India for processing subject to certain additional conditions. 

8. Exemptions: The Central Government can exempt any of its agencies from the provisions of the Act if it is satisfied that it is necessary or expedient: 

In the interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign countries, and

For preventing incitement to commission of any cognizable offence relating to the matters stated above.

The Bill also exempts processing of personal data for few other purposes such as prevention, investigation, or prosecution of any offence, personal, domestic, or journalistic purposes.  However, the processing must be for a lawful purpose.

9. Offences:  The offences stated under the act will be cognizable and non- bailable, they are as follows:

• Re-identification and processing of de-identified personal data without consent which is punishable with imprisonment of up to three years, or fine of two lakhs, or both.
• Offences by companies.
• Offences by the state.
• Penalties for processing or transferring personal data by fiduciaries in violation of the Bill, which is punishable with a fine of fifteen crores rupees or four percent of the annual turnover, whichever is higher, and
• Penalties for failure to conduct a data audit by fiduciaries, which is punishable with a fine of five crore rupees or two percent of the annual turnover, whichever is higher. 

Negative aspects of the Bill

The provisions of the Bill clearly shows that power to process and control the personal data rests in the hands of the Central Government. Many negative aspects can be noted. We will deal with these negative aspects one by one.

• The Government can transfer sensitive personal data outside India with the explicit consent of the data principle. Data principle here refers to us whose data is been stored.
• Further, the Government is provided with an exemption from taking consent to process the personal data and critical personal data (not defined in the Bill but are such data which the Central Government decides is critical personal data).
• Another negative aspect is the complete power lying with the data fiduciary.
• The Data Fiduciary determines purpose and means of processing the data, so while processing the data themselves they may outsource the processing activities to a data processor that usually is a third party entity, for example, Facebook might collect the data and decide what to do with the data.

• Another aspect is how data flows. The data is collected, it is processed and it is stored. Data fiduciary does that, but it can choose the third party to process the data and make sense of the data processor. This brings us to how the data is stored. For example: if the third party is Facebook and Google then the data of Indians is collected, processed and stored by them, then the location of that stored data will be overseas. This raises the concern of the protection of the data stored. This also raises the concern of the ownership and control of those personal data. The Bill is silent on this part.
• This includes another aspect of data localisation in which certain kinds of data will be stored only in India. And can be processed by the Government when necessary (some without the consent of the data principle). This raises concerns about surveillance.
• Next is the right is given to the data principle. One among those is the Right to be forgotten under Section 20. This right of data principle is subject to the order of an authority. This shows that the data principle themselves do not have a direct right on their data.
• Next is the Data Protection Authority, which the bill talks about, here the independence of this body is questionable, the bill says that the DPA will entirely consist of the executive which gives a lot of power in the hands of the Government.
• The influence of power was seen in the way the Bill was passed in the Lok Sabha. The speaker, after the introduction of the Bill, was supposed to refer it to the Standing Committee on Information Technology which is headed by Congress MP Shashi Tharoor, but instead, the meeting was cancelled. The bill is then decided to be sent to the Joint Parliamentary Committee which is formed only to inspect the Bill.   
• Lastly, the bill allows the govt to exempt any of its agencies from the wants of this legislation and also allows it to make a decision on what safeguards would apply to their use of knowledge. This potentially constitutes a replacement source of power for national security agencies to conduct surveillance and, paradoxically, could dilute privacy instead of strengthening it.[8]

Conclusion

Bill was conceptualised 2 years ago and has gone through many changes. The three most serious concerns about the draft Bill are:

1. Data localisation: The requirement to store a copy of all data of citizens within India raises concerns of surveillance. The Government has not given any idea about how it is going to store the data and how will it be processed. It is also not clear whether that storage will be strong enough to protect our data. The question that arises here is that, who will have the ownership and control of those personal data?
2. Government processing of Data: Bill states that consent would be important for the processing of data while it provides an exemption for the Government, the Government can use or sensitive personal data without consent for functions of the state. A wide power that could be prone to misuse.
3. Surveillance Reform: An overall India’s surveillance framework with tougher oversight and scrutiny by the judiciary is absent.

The centre has seemed in no hurry to bring strong laws to protect the privacy of our data but rather it is more moved towards making policies related to our data. This shows that the centre wishes to treat our data as a public good, which can be monetised or exploited as long as there is no breach of our data. It is a kind of secular bill where Government, without persecution, can snoop into our data.

References:

Websites:

1. http://elplaw.in/wp-content/uploads/2018/08/DataProtection-26-Privacy-Issues-in-India.pdf
2. https://theprint.in/opinion/surveillance-power-diluting-privacy-why-modi-govts-data-bill-needs-urgent-modification/382854/
3. https://economictimes.indiatimes.com//tech/internet/personal-data-protection-bill-likely-to-be-tabled-in parliament-in-budget session/articleshow/78477401.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
4. https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and analysis#:
5. https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know
6. https://www.drishtiias.com/daily-updates/daily-news-editorials/personal-data-protection-bill-2019
7. https://www.prsindia.org/billtrack/personal-data-protection-bill 2019

Case:

1. K. S. Puttaswamy (Retd.) vs. Union of India, (2015) 8 SCC 735

Bare texts:

1. The Constitution of India, 1950
2. The Personal Data Protection Bill, 2019

---

[1] Data Protection & Privacy Issues in India, available at: http://elplaw.in/wp-content/uploads/2018/08/Data

Protection-26-Privacy-Issues-in-India.pdf (last visited on: 4^th October, 2020)

[2] K. S. Puttaswamy (Retd.) vs. Union of India, (2015) 8 SCC 735

[3]Personal Data Protection Bill likely to be tabled in Parliament in Budget session, available at:

https://economictimes.indiatimes.com//tech/internet/personal-data-protection-bill-likely-to-be-tabled-in parliament-in-budget session/articleshow/78477401.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst (last modified on:4^th October, 2020)

[4] Section 3 (11), The Personal Data Protection Bill, 2019

[5] Section 3 (28), The Personal Data Protection Bill, 2019

[6] Section 3 (36), The Personal Data Protection Bill, 2019

[7] Section 3 (13), The Personal Data Protection Bill, 2019

[8] Anirudh Burman, Surveillance power, diluting privacy: Why Modi govt’s data bill needs urgent modification, available at: https://theprint.in/opinion/surveillance-power-diluting-privacy-why-modi-govts-data-bill-needs-urgent-modification/382854/ (last modified on: 8^th March, 2020)