Insights Into Editorial: Unfulfilled promise: On Personal Data Protection Bill
India’s Personal Data Protection Bill, 2019 starts encouragingly, seeking to protect “the privacy of individuals relating to their personal data”. But by the end, it is clear it is not designed to deliver on the promise.
It rightly requires handlers of data to abide by globally-accepted rules about getting an individual’s consent first it disappointingly gives wide powers to the Government to dilute any of these provisions for its agencies.
In August 2017, a nine-judge bench of the Supreme Court declared privacy as a fundamental right of Indian citizens.
The Court also observed that ‘informational privacy’, or the privacy of personal data and facts, is an essential facet of the right to privacy.
The Personal Data Protection Bill, 2018, was prepared by a high-level expert group headed by former Supreme Court judge B.N. Srikrishna.
It is the first step in developing a privacy framework to preserve the sanctity of “consent” in data sharing and penalize those breaching privacy norms.
Personal Data Protection Bill, 2019 Features:
- Sensitive personal data can only be processed with the explicit consent of the person and this consent need to be informed, clear and specific. This data can only be sent abroad with Data Protection Authority
- The bill also specifies penalties for not following its provisions including a penalty of Rs. 5 crore or 2% of the turnover, whichever is higher, if no action is taken on a data leak.
- The government is entitled to direct a fiduciary (entity or individual who decides the means and purposes of processing data) to get access to non-personal data to provide better services to citizens.
- In certain circumstances, processing of data may be permitted without the consent of the individual.
- These include (i) any function of Parliament or state legislature (ii) compliance with any court judgement, (iii) to respond to a medical emergency, or a breakdown of public order, (iv) purposes related to employment, (v) for reasonable purposes specified by the DPA.
- In the interest of national security, certain government agencies can have access to personal data for any investigation pertaining to offences.
- There is also a provision for central Government to notify critical personal data, which will then be only processed in a server or data centre located in India.
Points that need to be concerned:
- Localisation of data will likely make India an infeasible market for services that cannot offset the financial or logistical costs of localisation.
- It may prevent Indian start-ups or the services industry from expanding globally. Additional costs may be passed down to consumers for certain digital services.
- Recently, messaging platform WhatsApp said that some Indian journalists and rights activists were among those spied using technology by an Israeli company, which by its own admission only works for government agencies across the world.
- Google too had alerted 12,000 users, including 500 in India, regarding “government-backed” phishing attempts against them. The Indian Government has still not come out in the clear convincingly regarding these incidents.
- Data Fiduciary: The entity that collects and/or processes a data principal’s data. The relationship is trustee and beneficiary.
- The Bill states that every data fiduciary shall keep a ‘serving copy’ of all personal and sensitive personal data in a server in India.
- Significant Data Fiduciaries: The Data Protection Authority labels certain entities as Significant Data Fiduciaries, depending on its data processing, such as volume of data, sensitivity of data, company turnover.
- The government may notify certain ‘critical personal data’ which shall be processed only in servers located in India. However, the definitions of ‘serving copy’ and ‘critical personal data’ are not provided.
- As per the bill, wherever the government finds it is necessary it can direct that all or any of the provisions of this Act shall not apply to any agency of the government in respect of the processing of such personal data.
- Above all, localisation might save Indian data from foreign threats but placing the servers on home soil increases the risk of domestic threats while also dealing with the challenge of inadequate infrastructure.
Personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.
However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
The law will cover the processing of personal data by both public and private entities.
Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses.
The sweeping powers the Bill gives to the Government renders meaningless the gains from the landmark K.S. Puttaswamy vs. Union of India case, which culminated in the recognition that privacy is intrinsic to life and liberty, and therefore a basic right. That idea of privacy is certainly not reflected in the Bill in its current form.
Data protection, storing and sharing are very important aspects as far as India’s voluminous data is concerned.
India’s draft e-commerce policy and B N Srikrishna committee report is of prime importance for an aspirant. The pros and cons of data localization for the hugely populated country like India have to be studied in detail.
In the era of huge mobile and internet users there should be a law, which takes care of all above aspects.