Context: Personal Data Protection Bill, 2019.
More in news:
- Personal Data Protection Bill, 2019 was introduced in Parliament in winter session in December 2019. The Bill has been referred to a Joint Parliamentary Committee for detailed examination.
- According to the Justice B. N. Srikrishna committee of experts on a Data Protection Framework for India, “personal data includes data from which an individual may be identified or identifiable, either directly or indirectly”.
- The Committee sought to distinguish personal data protection from the protection of sensitive personal data, since its processing could result in greater harm to the individual.
- Sensitive data is related to intimate matters where there is a higher expectation of privacy (e.g., caste, religion, and sexual orientation of the individual).
Key Definitions: The Bill defines
- ‘personal data’ as any information which renders an individual identifiable,
- data ‘processing’ as any operation, including collection, manipulation, sharing or storage of data,
- ‘data principal’ as the individual whose personal data is being processed,
- ‘data fiduciary’ as the entity or individual who decides the means and purposes of processing data,
- ‘data processor’ as the entity or individual who processes data on behalf of the fiduciary.
- Data localisation:It is the act of storing data on any device physically present within the borders of a country.
Key features of the proposed bill:
- Regulation: The Bill seeks to provide for the protection of personal data of individuals (known as data principals), and creates a framework for processing such personal data by other entities (known as data fiduciaries). Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits.
- The Bill trifurcates data as follows:
- Personal data: Data from which an individual can be identified like name, address etc..
- Sensitive personal data (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
- Critical personal data:Anything that the government at any time can deem critical, such as military or national security data.
- Penalty: The bill also specifies penalties for not following its provisions including a penalty of Rs. 5 crore or 2% of the turnover, whichever is higher, if no action is taken on a data leak.
- Exemptions: Processing of personal data is exempted from the provisions of the Bill in certain cases, such as security of state, public order, or for prevention, investigation, or prosecution of any offence.
- Data Protection Authority (DPA): The Bill also establishes a Data Protection Authority to ensure compliance with the provisions of the Bill and provide for further regulations.
Key Issue of data localisation:
- One of the more contentious issues in the law Bill are the provisions pertaining to “data localisation”. Data Localisation refers to any restrictions on cross-border transfer of data (for instance, requirements to seek permission for transfer, the imposition of taxes for foreign transfers of data, etc.), has largely come to refer to the need to physically locate data within the country.
- The bill enables the transfer of personal data outside India, with the sub-category of sensitive personal data having to be mirrored in the country (i.e. a copy will have to be kept in the country).
- Data processing/collecting entities will however be barred from transferring critical personal data (a category that the government can notify at a subsequent stage) outside the country.
- This purpose may not be served in some cases, such as when the fiduciary is registered as an entity in a foreign country. Moreover, it is contended that security and government access are not achieved by localisation. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
- Civil society groups have criticised the open-ended exceptions given to the government in the Bill, allowing for surveillance.
- The Supreme Court, in Puttaswamy vs UoI, allowed exceptions to the right to privacy of an individual under certain situations. These include cases where a larger public purpose is satisfied by the infringement of privacy of an individual. Such an exemption must be backed by a law, and must be necessary for and proportionate to achieving the purpose. However, it is unclear if exemptions for legal proceedings, or for research and journalistic purposes meet the requirements of necessity and proportionality.
- The data principal may raise a complaint only if a violation of the provisions of the Bill has caused, or may cause them harm. It could be questioned why the mere violation of the rights of the principal is not enough to raise a complaint. The data principal additionally has to demonstrate and prove that harm has been caused to them by unlawful data processing; and this may place undue burden on the data principal.
- The Personal Data Protection Bill is designed to fall between the laissez faire approach of US law and the much stricter regimen of the General Data Protection Regulation (GDPR) in force in the European Union, striking a balance between the imperatives of privacy and security.
- The security of data is determined more by the technical measures, skills, cybersecurity protocols, etc. put in place rather than its mere location. Localisation may make it easier for domestic surveillance over citizens. However, it may also enable the better exercise of privacy rights by Indian citizens against any form of unauthorised access to data, including by foreign intelligence.
- Privacy could be equally protected through less intrusive, suitable and equally effective measures such as requirements for contractual conditions and using adequacy tests for the jurisdiction of transfer.
- India can work toward other policies such as reforming surveillance related laws, entering into more detailed and up-to-date mutual legal assistance treaties, enabling the development of sufficient digital infrastructure, and creating appropriate data-sharing policies that preserve privacy and other third party rights, while enabling data to be used for socially useful purposes.