Data Protection Bill: Protector of right to privacy?

Reading time: 8-10 minutes.

Introduction:

The world has seen the gradual development of technologies and also the need of new things as we move forward in time. The initial system barter trade, where the trade was between things, gradually changed to trade of goods and services for monetary value. The need for identity, the need of debit and credit cards, the need for mobile phones and a unique phone number, postal address, etc. These are all a person’s private information, or in other words, it is the personal data. Personal data is the data with which, a particular individual can be identified. The basic meaning of data in its basic sense is “Raw data or information”[1]. But when it comes to legal aspect, there has to be a particular definition about data which can be relied upon. That definition is given by Information Technologies Act,2000. It defines ‘data’ as, “A representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.”[2]. Some of the recent happenings in the world, where there the news of personal data of many people were stolen either by hacking or voluntary exchange of data, there was consideration of formulating new laws that could help protect the data.

              Data protection is defined as “Any method of securing information, especially information stored on a computer, from being either physically lost or seen by unauthorised person”[3]. The development and evolution of a law that aimed primarily for protecting the data can be said ineffective to certain extent. The data protection has been declared as a tort, since then, a challenge that has emerged is the said tort is contrary to the data protection law. The hurdle faced by the courts is that of assessment and recognition of damage when it’s the question of data that would involve. The year 2017, country received a landmark judgment which declared privacy as a fundamental right of each and every Indian citizen. The privacy of a person can be violated in 2 ways wherein first one is interfering in private matters and other one is stealing the data of person. The data here can be anything. It can be his name, his blood group, his contact number, his important documents, his debit and credit card details, bank details and many more. Those are also his personal property and hence must be protected from external hackers who try to steal this personal information for their benefit. This research paper would describe the steps taken by the central government in initiating actions for protecting the personal data of each and every individual.

                  The research aims at providing the readers complete understanding about the data protection laws, the history of how they evolved, their present status with the backing of information given by the central government and also the data protection bill that was enacted in the year 2019.

History:

                The word data has been in use from time immemorial. Although the data in present day world is different from the data earlier. With the evolution of technology, the data collection mechanism also changed and upgraded itself along with the technology. The data that was being stored on paper, now is being stored in computers and other upgraded elite storage mediums. In olden days, the books of records were kept safe in a lock and none would dare to steal them. But in the modern-day world, people often try to steal the personal data as it is not difficult, because by just one click, any selected data can be yours with disturbing other files or data available. The world of hackers, who are professionals in coding and decoding are the ones who steal the personal data due to greed of money.

                Now in 21st century, data can be regarded as a personal asset and the most valuable one, because it can help a man earn a crore as well as loose a crore. When data has such capacity, its flow has to be regulated and has to be placed under check. The people are the ones that generate these useful data and certainly the responsibility of securing our data and right to know whether our data is secure is or not lies with us. Also, the people must have the knowledge of the ways in which their data are being processed. This is where the requirement of data protection laws can be highlighted. These laws were needed for the beneficiary of people and to create a transparent window about the use and processing of their personal data. India, is not the only country to enact these laws. There have been many enactments across the globe starting from Sweden to recent one in India. Developed countries like Australia, Brazil, Argentina, Canada, etc have enacted data protection laws. The first country to formulate and enact the data protection laws is Sweden. The country had passed the law of data protection almost 48 years ago i.e., in 1973 and the laws came to force from the yar 1994. The laws established a ‘Data Protection Authority’ and it declared the handling of personal by any company or person as illegal. The usage of any kind of information systems or anything that can help to process personal data without a license was declared an offense. In the latter half of 20th century, citizens of Europe started to worry about the increasing use of personal data and storage of personal data, the law was adapted by the other parts of Europe as well. Later in the year 1995, the European Union framed a set of data protection laws and the countries of EU decided to implement them.  It was known as ‘Data Protection Directive of 1995’ but implemented in 1998. So, the model of data protection laws is derived from the European nations.

Law in Indian Context:

                  India is regarded as the world second most populous country with 131 crore population. In such a country, the data is just like ocean where there will be collection of enormous data. This is one of the main branches which generates high income for the data collection and processing companies, exchanging the data outside the territory in exchange for monitory value. This flow of data is termed as “Cross border flow of data”. Now to regulate and protect the flow of personal data, “The Personal Data Protection Bill”[4] with 98 clauses and a schedule was passed in the year 2019 by the then Minister of electronics and information technology-Ravi Shankar Prasad. The primary aim of drafting and implementing the bill was “protection of privacy of individuals relating to their personal data, specify the flow and usage of personal data”[5]. So, from the preamble of the bill, it can be understood that, the bill was created for protection of people’s personal data and also to establish the relationship between the people and the data collecting and processing companies, termed as data fiduciaries. The whole point of drafting this bill was ‘privacy’.

                    On 24h August of 2017, there was a landmark judgment was delivered in the case of K. Puttaswamy v. Union of India[6]. The constitutional bench of supreme court held that privacyis the fundamental right of each and every citizen under article 21 of the Indian Constitution. The same was stressed upon in 2018, where a five-judge bench of Supreme Court, took note of the negligent act of government towards protection of data relating to an individual. But, the government in the year 2017 itself had constituted a committee headed by former justice Srikrishna to examine the issues related to data protection. The report of recommendation was submitted by the committee in the year 2018 and the laws were never made until the Supreme court suggested the government. After considering the recommendations made by justice Srikrishna committee, this bill was drafted in the year 2019. It seeks to bring a very strong and robust data protection legal framework that creates authorities, imposes limitations, establishes redressal agencies and at all cost, protect the privacy of the Indian citizens.

Recommendation by Supreme court:

                The bill lays down the obligations of the data fiduciaries. Data fiduciaries can be private data collecting and processing companies, state government and central governments, social media handlers like twitter, Facebook, WhatsApp, etc. The state and central governments are one of the largest fiduciaries that in wide array of state activities such as national security, welfare administration, etc. But there are many cases filed against the government themselves for breach of fundamental right. Only in recent times, the people have shown the courage of moving against the private companies for claiming compensation. The traditional approach in the cases of violation of any fundamental right, were taken by the constitutional courts. But the major focus of this law is to establish a Data Protection Authority (DPA) that functions independently from government. There should be no influence by the government on the body which ensures this law is implemented clearly and without any discrepancies. The bill provides the rights of data principal under the chapter 5 from clause 17-21. So, this cannot be violated by government as well and to ensure this is not happening, a completely independent and unbiased authority is needed.

The Data Protection Authority has been empowered under clauses 41-56 and these clauses specifies the duties, responsibilities, jurisdiction, codes of practice and other important rules. So as per this, there will be a chairman and other authorities appointed. So, for this authority to function independently and free from bias, the officers or the authorities, the government must not be involved. It has to be done by the judiciary or a judicial body comprised of sitting judges or the former judges. With this, the influence of the government can be prevented and also, the DPA can take steps if the government has violated the rules it has framed. Also, this bill lays down the provision of setting up, a separate tribunal for hearing the cases related to the violation of any clause under this act. The objectives of this draft must be implemented and ensured the data of individual and also to provide speedy justice and redressal if the right of privacy is violated. Although the draft bill is prepared with good intention, the further action by the government decides the fate of this act.      

Author: Karthik Surya MR, Christ University, Bangalore


[1]  1. Lesley Brown’s the New Shorter Oxford Dictionary (on Historical Principles), pg.595, Claredon Press’s,1993.

[2] Section 2(1)(o) Information Technologies Act, 2000

[3]  Bryan A. Garner’s Black’s law dictionary, 10th edition, Thompson Reuters, 2010

[4] Bill number 373 of 2019

[5] Preamble of the ‘Personal Data Protection Bill of 2019’

[6]  (2017) 10 SCC 1

Data Protection Bill and Right to Privacy- An Analysis

Reading time: 8-10 minutes.

On December 11, 2019, the Minister of Electronics and Information Technology, Ravi Shankar Prasad introduced “The Personal Data Protection Bill” in the lower house. The bill aims to ensure, inter-alia, the protection of individuals’ privacy in relation to their personal data, the transparency of organisations and institutions processing personal data, and to establish a Data Protection Authority (hereinafter referred to as “DPA”), for the various purposes that the Bill seeks to fulfil. The Bill is the response of the Government of India to the long-standing need for a “data protection regime” to protect citizens’ personal data that they knowingly or unknowingly provide to various internet websites.

The Government of India constituted a Committee of experts on Data Protection on 31st July 2017, which was headed by Justice B. N. Srikrishna, to examine the issues pertaining to the Data Protection in India, and the report of this Committee was submitted on 27th July, 2018. Later, the Government placed the Bill in public domain, for feedback and suggestions from various stakeholders, ministers and consultants. Based on these suggestions the Union Cabinet approved a revised Personal Data Protection Bill, 2019, on December 4th, 2019. Later, the Bill was introduced in the Lok Sabha on December 11, 2019 and was referred to a Joint Select Committee of both the houses.

The right to privacy has been recently recognised as a fundamental right emerging primarily from Article 21 of the Constitution, in Justice K.S. Puttaswamy (Retd.) v. Union of India. To make this right meaningful, it is the duty of the State to put in place a data protection framework which, while protecting citizens from dangers to informational privacy originating from State and Non-State actors, serves the common good. It is this understanding of the State’s duty that the Committee must work with, while creating a data protection framework.

Major Features of the Bill:

The Bill regulates the processing of personal data by States, companies incorporated in India, and international companies dealing with personal data of individuals in India. The Bill sets out the fiduciary data responsibilities (i.e. the body deciding the intent and means of processing personal data) that certain accountability and transparency steps must be taken when detecting the data. The Bill requires personal data to be handled by data fiduciaries only if the data principal (i.e. the person to whom the data relates) has given his permission.

The Bill further provides a legal framework for the collection and use of personal information. While providing a collection of rights and obligations for the processing of personal data, the Bill proposes the creation of a DPA, to control and implement the legal structure. The Bill also vests the Central Government with substantial standard-setting powers and tasks the DPA with implementing the same. An important characteristic of the Bill is, its broad scope of applicability. If implemented, it would apply to all companies other than those expressly exempted across India. This will involve any organization that collects data using automated means. The DPA shall have the power to define small entities based on turnover, data volume handled and data collection purposes.

Further, the Bill makes consent an important factor to the proposed data protection framework. The Bill also proposes that the personal data of individuals should be accessed only on the basis of free, informed and detailed consent, with provisions that allow such consent to be withdrawn. Any processing of data without such approval would constitute a breach, which could result in penalties under Sections 11 and 57 of the Personal Data Protection Bill, 2019. Section 11 of the Bill establishes a separate category of ‘sensitive personal data’ and states that such data can only be processed with ‘explicit consent’.

There are certain grounds mentioned in Section 12 of the Bill, in which personal data can be processed without the consent. The grounds are, if personal data is required for the benefit of principal data, legal proceedings, response to medical emergencies or for the maintenance of law and order. The Bill also allows the Central Government to guide data fiduciary to include confidential personal data or non- personal data so that the Central Government can better plan the delivery of services or formulate evidence-based policies. According to the Bill, data fiduciaries must institute mechanisms for age verification and parental consent when processing sensitive personal data of children as stated under Section 16. Further, under Chapter V, the Bill gives certain rights, like the right to obtain confirmation whether data has been accessed or not, right to correct the erroneous personal data and the right to be forgotten.

“The right to be forgotten” reflects a major part of the legislation. Under Section 20, the data principal is entitled to avoid the continued disclosure of his personal data if the purpose of the data has been served, if the consent of the data principal has been removed or the data has been unlawfully released. The Bill also empowers the DPA to take measures to protect individual rights, prevent abuse of personal data and ensure compliance with the bill.

Negative Aspects of the Bill:

Although there are many strong and progressive provisions in the Bill, there are some provisions and features of the Bill which tend to raise significant concerns regarding the effectiveness of the Bill in protecting the data of citizens. They are dealt with in the subsequent paragraphs: 

  • Harm and Damage to Privacy:

The Bill defines ‘harm’ in a manner which appears problematic for many stakeholders. Any discriminatory treatment or denial or removal of a service, resulting from the assessment of the data principle would be protected under it, according to the concept of damage. This Bill talks about discrimination in general, which imposes severe restrictions on business activities because many businesses have to discriminate on different grounds for the smooth functioning of business. In reality, according to the Indian Constitution, only certain types of discrimination are problematic. Within the Bill, risk of harm is concern when determining what kind of protection and privacy protections should have to be implemented into the design of business policies. The focus on this controversial concept of harm should create a significant problem for various companies, as several times they have to remove specific services from customers when discriminating on the basis of data collected from them.

  • Voluntary User Verification:

Another criticism that the Bill has faced, is its clause that allows the businesses to provide users with options to voluntarily check their identity. If users do not check their identities, they are going to be a candidate for government surveillance or analysis. This provision would raise the risk of data breaches and entrench control in the hands of major social media companies who can afford such verification systems to be installed and maintained. In addition, this will also increase the risk of user privacy breaches. It also ignores the aspect that, sometimes, social media anonymity brings benefits like whistleblowing and stalker protection.

  • No Consent- Transfer of Non-Personal Data:

The Bill also mandates companies to share non-personal data with the Government, on the grounds of public good and planning. This will not only significant privacy concerns, but it will also have a disastrous impact on companies, as many a times, companies keep trade secrets in the form of non-personal data and on its being shared, they might suffer a setback.

Conclusion:

The Personal Data Protection Bill is India’s move towards providing, inter-alia, data privacy for its people and avoiding misuse of their data. It places great emphasis on the individual’s consent before taking up his/her data for any purpose. It also has provisions for the establishment of an Indian Data Protection Authority to ensure proper enforcement of the proposed Bill. It is a long-awaited legislation, as India did not have a comprehensive law to protect its citizens’ data, leaving citizens unarmed while being exposed to a world full of cyber-crimes.

While impressive on certain counts, the Bill also has disappointing aspects, such as putting a strong emphasis on harm without adequately identifying it, making it mandatory for businesses to exchange non-personal data. The major weakness in the Bill, however, for which it earned flak from many lawyers, academics, and politicians, is the clauses that grant exemptions to the Government, through which they can allow any Government agency to circumvent the proposed Act. This clause raised significant and relevant questions about the Government’s intentions, with Justice BN Srikrishna, whose committee prepared the draft law in 2018, calling it an attempt to turn India into an Orwellian State.

Today the internet has become an integral part of our lives. Almost all the things that we do, whether public or private, official or unofficial, include the use of the internet. A large amount of data is transferred whilst performing these activities. In such a situation, ensuring data security is important, because a person’s data in the wrong hands, can have serious repercussions. There are cases where users’ data privacy has been violated, knowingly or unknowingly, by social media sites like Facebook and WhatsApp.

Therefore, a law that seeks to protect citizens’ privacy is quintessential. The Personal Data Protection Act is intended to meet this obligation. However, it is mired with certain shortcomings that can end up offering very little of the protection that the legislation promises. But the Bill also has scope for change, as it has been referred to a Joint Parliamentary Commission. The panel is expected to discuss the Bill’s shortcomings and to come up with a Revised Draft Bill that will provide Indian people with a promising legislation that delivers on the data privacy promise.

Authors: Kadam Nikitha from Army Institute of Law & CH Suswani from DSNLU.

Editor: Astha Garg, Junior Editor, Lexlife India.