PERSONAL DATA PROTECTION BILL IN THE LIGHT OF RIGHT TO PRIVACY

Photo by Serpstat on Pexels.com

We must have studied about the term ‘Data’ with respect to computer science and mathematics during our school age and this is so because of the importance it owns. So, what is data?

In simple terms Data is nothing but some useful information.

Now, with the advent of digital age, the importance of data is reaching to a new height. It is playing a very crucial role and an intelligent use of data can become a game changer in this digital world. Earlier nation’s growth and power was measured in the amount of natural resources like coal, minerals, oil and metals, it owns but now data rich nations are the most powerful. It can bring a transformative effect on the nation’s growth. Data is acting as a critical means of communication in new digital economy. From getting an employment to buying something from market, we are one or the other way sharing our personal data.

Personal data generally means any information relating to an individual. It is also known as personally identifiable information (PII).[1] 

The availability and sharing of large amount of data is creating concerns regarding its misuse. Easily accessible data is giving way to fraudulent activities and posing threat to the privacy of the individuals. Right to privacy being a fundamental right needs to be protected in this growing technological world. People have right to protect their informational privacy and if they are sharing it with the state, organization or any other person with good faith then their faith should be protected by assuring that their personal data will not be misused and there should no fraudulent activity. If they fail to protect it then proper redressal system and remedy must be provided to them for the breach of personal data.    

Personal Data Protection Bill is one of the steps forward by the Indian government to protect the informational privacy of people. This bills objective is to protect the right of privacy of individuals regarding their personal data and regulates the organizations collecting and processing such data.

Though this Bill is a welcome step but it needs a careful analysis to know whether it is actually protecting the informational privacy or not because it’s a very sensitive matter and any loophole will result in infringement of right to privacy of individuals guaranteed under Article 21 of the Indian constitution. The Bill is likely to have a huge impact on the multi-national corporations doing businesses in India. The government must ensure people that their rights and freedoms are protected and for that the Bill should be a stringent law when it comes to protection of informational privacy. Any unauthorized use or processing of personal data will result in great harm to individuals.  

This research article concerns about Personal Data Protection Bill in the light of Right to privacy. But first of all before proceeding towards the deep study about the topic, there are some important definitions which need to be discussed here for better understanding.

What is Data?   

“Data” means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.[2]   

What is Personal Data?

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[3]   

According to National Institute of Standards and Technology personally identifiable information means “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”[4]   

The Personal Data Protection Bill, 2019 defines personal data as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include inference drawn from such data for the purpose of profiling.”2

In the age of information personal data is becoming more prevalent and now it feels like we are living in a web of data. Tim Cook, Apple CEO once stated, “Our own information is being weaponised against us with military efficiency. Every day, billions of dollars change hands and countless decisions are made on the basis of our likes and dislikes, our friends and families, our relationships and conversations, our wishes and fears, our hopes and dreams. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold.”[5] Nowadays personal data is easily accessible, it can be exploited to steal the personal information of any person and use it in criminal acts. Therefore, it is of utmost importance to have a concrete law for data protection.                                                                                      

To curb the misuse and protect the privacy of individuals various countries have enacted legislations and one of such step is Personal Data Protection Bill, 2019 by the Government of India. This Bill was enacted on the recommendation of Supreme Court of India.

Right to Privacy-

It was held that Right to Privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the constitution. It is constitutional core of human dignity. Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation.[6] Though Right to Privacy is not an absolute right but any violation or encroachment upon this right by a legislative or executive action is only justified if it is according to procedure established by law and that procedure must be reasonable. Right to privacy has two sides, first is a restriction on state to not infringe the life and personal liberty of a citizen while the other one is an obligation on the state to protect the privacy of the individuals.

The Supreme Court of India recommended the central government to make a stringent law relating to data protection by carefully analyzing and making a balance between individual’s interest and legitimate concerns of the state. This resulted in introduction of Personal Data Protection Bill, 2019 in the Lok Sabha. The General Data Protection Regulation and the judgment of Justice K.S. Puttaswamy v. Union of India6 played a crucial role in formulation of this Bill.

The main objective of the Bill is to protect the privacy of individuals with respect to their personal data. It will govern and regulate the entities collecting and processing such data and will increase the trust of people while sharing their data.                                                               

It also lays down norms for social media intermediary, cross border transfer, accountability of entities processing personal data and remedies for unauthorized and harmful processing.2

Some important features of this Bill-

Definition of Data Fiduciary: it means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.

It tells about necessary steps to be taken by data fiduciary while processing such data like designing privacy policy, maintaining transparency, etc. Though personal data should be processed only on the basis of consent given by the data principle but it also specifies grounds for processing of personal data without consent of data principle. It divides data into three categories personal data, sensitive personal data and critical personal data.

Some of the rights available to data principle are-  It can ask for information regarding confirmation and summary of personal data; correction of inaccurate data; erasure of personal data which is no longer necessary, etc; Right to restrict the disclosure of his personal data.2

It contains provisions related to restriction on transfer of personal data outside India. It also specifies grounds for creation of sandbox, power of central government to exempt any government agencies from the applicability of this Bill.

It provides for establishment of Data Protection Authority of India by the Central Government for the purpose of privacy protection. Powers, functions and provisions related to making of the authority is given under chapter IX of this Bill. It also provides for the establishment of appellate tribunal.

It lays down rules for penalties and remedies available to data principle. Many more features are there but it’s not possible to list all of them here.

The BN Srikrishna committee in its report had stated that “a data protection law, to be meaningful should, in principle, apply to the State. It would indeed be odd if a law enacted to give effect to a fundamental right to privacy does not serve to protect persons from privacy harms caused by processing of personal data by the state.”[1] Some of the provisions in the Bill which are diluting the right to privacy are discussed below:

Government is the largest collector of personal data and giving power to exempt government agencies from applicability of this Bill might jeopardize informational privacy.                              The Bill gives power to create a sandbox for technological innovation in public interest. Data fiduciaries included under this will be exempted from complying with certain conditions of the Bill. It is good to encourage technological innovation but it should not be done at the cost of privacy of people. There must be an effective mechanism to check the misuse of sandbox and ensure safety.                                                                                                                                 

As per the Bill, the “procedure, safeguards and oversight mechanism to be followed” for surveillance will be prescribed in the rules to be made by the government. It is trite law that if discretionary powers are given to the executive branch of the government, it must be accompanied by clear and specific guidelines for the executive to exercise the power.[2]                                                                                                                                                The members of Data Protection Authority (DPA) are to be appointed by a selection committee consisting of officers of central government. It would be better if DPA is appointed by a committee independent of central government because government is the largest collector of personal data so the authority having responsibility for protection of informational privacy must be outside the influence of government. It should have a judicial representation.                                                    

Data Protection Authority has limited power than central government. But originally it should have been an independent authority acting in an unbiased manner away from the control of the government. It should have power to penalize even government for the breach of personal data.

Conclusion

 Informational privacy is the facet of the right to privacy.6 So, to protect the informational privacy and curb the arbitrary actions of state and non-state actors with regard to personal information, the Personal Data Protection Bill is introduced.

The Bill, 2019, if passed, is ready to make drastic change in collection and processing of personal data. It is a welcome step as it will provide a check and balance on state and non-state actors using such data. This framework will regulate the organizations which were earlier dealing in an unregulated manner. But the draft of the Bill presented in 2018 by Justice BN Srikrishna committee was more stringent than the actual Bill of 2019. It also diluted some of important provisions which were critical in protecting the informational privacy of data principles. The exemption given to government agencies and allocation of more powers to the union government in matters of data protection would defeat the objective of this Bill and put informational privacy of data principles at stake. The exemption may leave a scope of misuse of personal information. More power and judicial representation should be given to Data Protection Authority so that it can act in an unbiased manner. Protection of informational privacy should be the primary goal of this Bill and no exemption should be given which might harm citizens. It must include all the necessary safeguards required for protecting privacy. It should not be only for namesake rather establish a stringent data protection regime.

But there is still a ray of hope because the Bill is referred to a joint parliamentary committee consisting of 10 members from Upper House and 20 members from Lower House. Let’s hope that the joint committee will review and consider the loopholes present in it so that India can get a stringent law for protecting the informational privacy. 

Author: Ritika Singh


[1] Personal Data, available at: http://en.m.wikipedia.org (last visited on May 10, 2021).

[2] The Personal Data Protection Bill, 2019

[3] The General Data Protection Regulation (GDPR), 2016/679,  Art. 4(1).

[4] NIST Special Publication 800-122, available at: http://www.nist.gov (last visited May 10, 2021).

[5] https://www.cnbc.com/2018/10/24/apples-tim-cook-warns-silicon-valley-it-would-be-destructive-to-block-strong-privacy-laws.html, (last visited May 11, 2021)

[6] Justice K.S. Puttaswamy v. Union of India, AIR 2017 SC 4161.

[7] Justice B.N. Srikrishna Committee of Experts, “Report of the Committee on Data Protection- A Free and Fair Digital Economy Protecting Privacy, Empowering India” submitted to Ministry of Electronics And Information Technology (July, 2018)

[8] Devika Sharma “Personal Data Protection Bill, 2019-Examined through the Prism Of Fundamental Right to Privacy- A Critical Study”, available at www.scconline.com (last visited on- May 11, 2021)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s