|Demand of the question
Introduction. Contextual introduction.
Body. Key Features of Personal Data Protection Bill, 2019. Key issues related to the bill.
Conclusion. Way forward.
Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data. Over the years, rapid technological advances have led to large volumes of data which is at risk of increasing cyber crimes. With penetration of Aadhaar, risk related to data has increased. For safeguarding Indian citizen’s interest government has introduced ‘Personal Data Protection Bill, 2019’.
Key Features of Personal Data Protection Bill, 2019:
- Personal data definition: The Bill defines ‘personal data’ as any information which renders an individual identifiable. Also it defines data ‘processing’ as collection, manipulation, sharing or storage of data.
- Territorial applicability: The Bill include the processing of personal data by both government and private entities incorporated in India, and also the entities incorporated overseas, if they systematically deal with data principals within the territory of India.
- Grounds for data processing: The Bill allows data processing by fiduciaries if consent is provided by the individual.
- Sensitive personal data: Sensitive personal data is defined in the Bill to include passwords, financial data, biometric and genetic data, caste, religious or political beliefs. The Bill specifies more stringent grounds for processing of sensitive personal data, such as seeking explicit consent of an individual prior to processing.
- Obligations of the data fiduciary: The Bill lays down certain obligations on the data fiduciary who is processing personal data. These include:
- Processing personal data in a fair and reasonable manner.
- Collecting as much data as is needed for a specified purpose, and storing it no longer than necessary.
- Data Protection Authority: The Bill provides for the establishment of a Data Protection Authority (DPA). The DPA is empowered to:
- Draft specific regulations for all data fiduciaries across different sectors.
- Supervise and monitor data fiduciaries.
- Cross-border storage of data: The Bill states that every fiduciary shall keep a ‘serving copy’ of all personal data in a server or data centre located in India.
- Transfer of data outside the country: Personal data (except sensitive personal data which is ‘critical’) may be transferred outside India under certain circumstances.
Key issues related to the bill:
- No guidelines for processing of data: The Bill does not specify any principles or guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing.
- Conflict of interest: Selective reporting of data breaches will avoid the DPA from being burdened with high volume of low-impact data breach reports, and also not make the burden of reporting too onerous on the fiduciary. There may be a conflict of interest while determining whether a breach is to be reported, as the fiduciary is regulated by the DPA.
- Exemptions: The above obligations and safeguards do not apply if data is processed for the purposes of national security, prevention, investigation and prosecution of violations of a law, legal proceedings etc.
- Data processing for State functions does not require consent: The Bill allows for processing of an individual’s personal data without their consent if it is necessary for any function of the Parliament or state legislature. It is unclear what functions of the Parliament would necessitate such processing of data without the consent of the individual.
- Powers and functions of the Data Protection Authority: Enforcement of penalties and compensation orders of the DPA does not require a court order. The Bill does not specify that a court order would be required for the enforcement actions.
Measures to address the issues:
- Holistic approach: It is important to strike a right balance between digital economy and privacy protection. The law should encompass all the aspects- data collection, processing and sharing practices in an integrated manner.
- Stakeholders: Government must incorporate suggestions from various stakeholders over the draft bill.
- Transparency: Privacy should not be used to undermine government transparency. Data protection law should be framed such that it does not make government opaque and unaccountable.
- Data processing: The bill must clearly specify any principles or guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing. The Justice Srikrishna Committee Report had suggested that courts of law and regulatory authorities should be allowed to evolve principles of fair and reasonable processing.
Data protection is a must in the age of digital era. With right to privacy being a fundamental right and recent rise in risks to privacy of the individuals, data protection law is need of the hour. The state must prevent and investigate digital crimes, prevent misuse of data and encourage data security through legislation. It is important to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.