Context: The Personal Data Protection Bill.
More in news:
- The Personal Data Protection Bill could be introduced in either house of the Parliament in the current Winter Session which will conclude on December 13.
- According to the Justice B. N. Srikrishna committee of experts on a Data Protection Framework for India, “personal data includes data from which an individual may be identified or identifiable, either directly or indirectly”.
- The Committee sought to distinguish personal data protection from the protection of sensitive personal data, since its processing could result in greater harm to the individual.
- Sensitive data is related to intimate matters where there is a higher expectation of privacy (e.g., caste, religion, and sexual orientation of the individual).
Justice B. N. Srikrishna committee:
- The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
- The Supreme Court in its Puttaswamy judgment, 2017 declared privacy a fundamental right. This set the government in motion to take steps to bring a new data protection legislation for the country.
- The report has emphasized those interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
The Draft Personal Data Protection Bill, 2018:
- Definitions: The Bill defines
- ‘personal data’ as any information which renders an individual identifiable,
- data ‘processing’ as any operation, including collection, manipulation, sharing or storage of data,
- ‘data principal’ as the individual whose personal data is being processed,
- ‘data fiduciary’ as the entity or individual who decides the means and purposes of processing data,
- ‘data processor’ as the entity or individual who processes data on behalf of the fiduciary.
- Regulation: The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits.
- Copy of personal data: The Bill requires that a serving copy of personal data be stored within the territory of India. Certain critical personal data must be stored solely within the country.
- Data Protection Authority (DPA): A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries. The Authority is empowered to:
- take steps to protect interests of individuals,
- prevent misuse of personal data,
- ensure compliance with the Bill.
- Rights of the individual: The Bill sets out certain rights of the individual. These include:
- right to obtain confirmation from the fiduciary on whether its personal data has been processed,
- right to seek correction of inaccurate, incomplete, or out-of-date personal data,
- right to have personal data transferred to any other data fiduciary in certain circumstances.
- Obligations of the data fiduciary: The Bill sets out obligations of the entity who has access to the personal data (data fiduciary) such as:
- implementation of policies with regard to processing of data,
- maintaining transparency with regard to its practices on processing data,
- implementing security safeguards (such, as encryption of data),
- instituting grievance redressal mechanisms to address complaints of individuals.
- Grounds for processing personal data: The Bill allows processing of data by fiduciaries if consent is provided. However, in certain circumstances, processing of data may be permitted without consent of the individual which includes:
- if necessary for any function of Parliament or state legislature, or if required by the state for providing benefits to the individual,
- if required under law or for the compliance of any court judgement
- to respond to a medical emergency, threat to public health or breakdown of public order,
- for reasonable purposes specified by the Authority, related to activities such as fraud detection, debt recovery, and whistle blowing.
- Exemptions: The Bill provides exemptions to certain data processing activities. It states that processing of an individual’s personal data will not be subject to the obligations specified, and the data principal will not have the rights defined in the Bill, if their personal data is processed for the purposes of
(i) national security (pursuant to a law),
(ii) prevention, detection, investigation and prosecution of contraventions to a law,
(iii) legal proceedings,
(iv) personal or domestic purposes,
(v) journalistic purposes.
- Civil society groups have criticised the open-ended exceptions given to the government in the Bill, allowing for surveillance.
- The Bill mandates storage of a copy of personal data within India to expedite law enforcement’s access to data. This purpose may not be served in some cases, such as when the fiduciary is registered as an entity in a foreign country. Moreover, it is contended that security and government access are not achieved by localisation. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
- The Supreme Court, in Puttaswamy vs UoI, allowed exceptions to the right to privacy of an individual under certain situations. These include cases where a larger public purpose is satisfied by the infringement of privacy of an individual. Such an exemption must be backed by a law, and must be necessary for and proportionate to achieving the purpose. However, it is unclear if exemptions for legal proceedings, or for research and journalistic purposes meet the requirements of necessity and proportionality.
- The data principal may raise a complaint only if a violation of the provisions of the Bill has caused, or may cause them harm. It could be questioned why the mere violation of the rights of the principal is not enough to raise a complaint. The data principal additionally has to demonstrate and prove that harm has been caused to them by unlawful data processing; and this may place undue burden on the data principal.
- Bringing in a legislation on the data protection in the country would protect individual privacy, ensure autonomy, allow data flows for a growing data ecosystem.
- It can create a free and fair digital economy where freedom is the enhancement of individual autonomy with regard to personal data and fairness is the regulatory framework where this individual right is respected.
- The Personal Data Protection Bill is designed to fall between the laissez faire approach of US law and the much stricter regimen of the General Data Protection Regulation (GDPR) in force in the European Union, striking a balance between the imperatives of privacy and security.