Personal Data Protection Bill: A Double-Edged Sword

Analyzing the complexities and critiques of the proposed Personal Data Protection Bill and how it can be both a boon and a bane to the privacy of Indian Citizens.

Source: Hotel News Resource

The Personal Data Protection Bill, 2019 is an Indian bill that aims to safeguard the privacy rights of individuals concerning their data and is aimed at regulation of organizations which process and possess such data. It was introduced in the Lok Sabha on December 11, 2019.

The 2019 Bill was a follow up to a draft introduced in 2018. It was formulated to address the concerns of the draft. It has brought in certain crucial additions and revisions to the 2018 Bill, however, there are still certain concerns that were highly debated and discussed under the 2018 Bill, which are yet to be addressed.

HISTORY

In India, usage of personal data or information of citizens is regulated under Section 43A of the Information Technology Act, 2000. On 24 August 2017, a nine-judge bench of the Supreme Court declared privacy as a fundamental right of Indian citizens under Article 21. The Court also observed that the privacy of personal data and facts is an essential facet of the right to privacy. This is famously referred to as the Puttaswamy case.

Source: Slideshare

In July 2017, the Ministry of Electronics and Information Technology set up a committee to study issues related to data protection. The committee was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft Personal Data Protection Bill, 2018 in July 2018. The bill was tabled in the Lok Sabha on 11 December 2019 by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad.

The 2018 draft Bill

The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits. It provides the data principal with several rights, such as seeking a correction or seeking access to their data which is stored with the fiduciary. The fiduciary has certain obligations towards the individual while processing their data, such as notifying them of the nature and purposes of data processing.

The Bill allows exemptions for certain kinds of data processing, such as processing in the interest of national security, for legal proceedings, or journalistic purposes.

The Bill trifurcates personal data into three categories — critical, sensitive and general. The umbrella group is all personal data — data from which an individual can be identified.

1. Sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief and affiliation, can be stored only in India. Such sensitive personal data can be processed only with the explicit consent of the person which is informed, clear, and specific.
2. Critical personal data (CPD) is personal data defined by the government from time to time and has to be stored and processed in India. The bill gives examples as military or national security data.
3. General data is any data that is non-critical and non-sensitive and has no restriction on where it is stored or processed.

A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries. It is the responsibility of the DPA to draft specific regulations for all data fiduciaries, supervise and monitor data fiduciaries and assess compliance with the Bill and initiate enforcement actions.

Highlights of the 2018 Bill

• The data fiduciary needs to inform the DPA of a data breach if it is likely to harm the individual.
• The Bill allows exemptions for purposes such as journalism, research, or legal proceedings.
• The State is not required to seek the individual’s consent while providing benefits or services.
• The Bill mandates storage of a copy of personal data within India to expedite law enforcement’s access to data.
• It has a provision for the right to be forgotten, where the person “shall have the right to restrict or prevent continuing disclosure of personal data”.

Concerns with the 2018 bill

• The draft had said all fiduciaries must store a copy of all personal data in India — a provision that was criticized by foreign countries as well as technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash
• It does not specify any principles or guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing.
• The Bill states that the fiduciary shall inform the DPA in the event of a data breach only if such a breach is likely to cause harm to any data principal. It is questioned whether the fiduciary should have the discretion to determine whether a data breach needs to be reported to the DPA.
• The exemptions have been widely questioned, with many arguing whether all exemptions defined in the Bill are warranted. It is questioned if exemptions for legal proceedings or research and journalistic purposes are required. The legitimate aims of these exemptions have to be balanced against preserving the right to privacy of data principals.
• Processing of data for functions of the State does not require consent. This raises huge privacy concerns.

The 2019 Bill

The 2019 Bill retains much of the draft bill proposed by the Justice Srikrishna Committee (2018 Bill). However, it does introduce new concepts and deviates from the 2018 Bill in certain respects.

The data localization requirements for personal data have been relaxed to an extent. However, the storage/ transfer of sensitive personal data and critical personal data are still restricted. The 2019 Bill introduces the concept of a ‘consent manager’ through whom data principals can manage consent for exercising rights such as data portability, right to correction and right to be forgotten under the 2019 Bill. The DPA cannot specify new categories of sensitive personal data under the 2019 Bill. This power has been given to the central government.

The 2019 Bill gives the central government powers to direct any data fiduciary/data processor to provide non-personal data to the government to ‘enable better targeting of delivery of services or formulation of evidence-based policies’. Under the 2019 Bill, the central government can exempt any government agency from the application of the provisions of the bill on widely worded grounds as compared to limited grounds in the 2018 bill.

Source: Economic Times

The selection committee under the 2019 Bill does not include a judicial member as opposed to the 2018 Bill where it consisted of the Chief Justice of India or a Supreme Court judge nominated by him.

Favouring arguments for the 2019 Bill

• The Government has argued that a robust Privacy bill is the need of the hour, especially to counter foreign cyber-attacks and safeguard the citizens’ data.
• They argue that the exemptions are warranted and are required to not hamper national security and maintain the integrity of the press
• They argue that data localization will help law-enforcement access data for investigations and enforcement. As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” — a process that almost all stakeholders agree is cumbersome.
• They argue this helps in achieving data sovereignty and help safeguard India’s digital privacy from other nations.
• For example, WhatsApp’s firm stance on encrypted content has frustrated government officials around the world.
• Many Indian tech companies, which store most of their data exclusively in India, support localization. PayTM has supported localization, and Reliance Jio has claimed that localization only can empower data regulation for privacy and security.
• Many argue that localization will also increase the ability of the Indian government to tax Internet giants, thus producing more revenue and promoting local companies.

The Concerns with the 2019 Bill

Despite a multitude of changes from the 2018 to 2019 bill, concerns remain. The major concerns still have to do with the overreach of the government into the privacy of citizens. The data localization aspect has also been under attack. Apart from the still existing concerns of the 2018 draft,

• There are concerns that the Bill gives the government blanket powers to access citizens’ data. Justice BN Srikrishna, who had led the committee that submitted the report based on which the original Bill was drafted, said the 2019 “has dangerous implications” and could “turn India into an Orwellian state.”
• Civil society groups have criticized the open-ended exceptions given to the government in the Bill, allowing for surveillance
• The increased overreach of the central government in the 2019 bill has been cited as a major concern, so has the removal of a judicial member from the selection committee.
• The localization aspect has found significant backlash. It has been argued that security and government access are not achieved by localization. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
• Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have come out against it, fearing a fractured Internet where the domino effect of the protectionist policy will lead to other countries following suit.
• This protectionism may backfire on India’s young startups with global ambitions, or on larger firms that process foreign data in India, such as Tata Consulting Services and Wipro.

Conclusion

The Bill can be called a double-sided sword: On one hand it protects the personal data of Indians by empowering them with data principal rights, and on the other hand it bestows the central government with exemptions that are against principles of processing.

References :

http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.

https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

https://www.orfonline.org/research/the-personal-data-protection-bill-2019-61915/

Draft Personal Data Protection Bill, 2018

Draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018

Personal Data Protection Bill can turn India into ‘Orwellian State’: Justice BN Srikrishna

The Personal Data Protection Bill, 2019: Key Changes And Analysis — Privacy — India