Data Protection Bill

Several countries now have legislative protection for personal data. The government of India also realizes the need for a data protection law. Hence, the government submitted a draft for personal data protection under the Joint Parliament Committee. The Personal Data Protection Bill, 2019 is currently in front of the parliament’s winter session of 2021, and the committee which had been deliberating on the bill since it was introduced in parliament has made various recommendations for modifying the draft. The joint parliamentary committee moved a motion in Lok Sabha & sought an extension for the report on the bill and  based on the report submitted, a committee is formed to thoroughly investigate and analyze the PDP Bill.

A Constitutional Bench of nine judges of the Supreme Court of India in the case of  Justice K.S. Puttaswamy  v. Union of India, 2017 upheld that privacy is a fundamental right, which is vested in Article 21 (Right to Life & Liberty) of the Constitution. And this judgment led to the formulation of the pervasive Personal Data Protection Bill 2019.

Individuals, as citizens and consumers need to have the means to exercise their right to privacy and protect themselves and their information from abuse. This is particularly the case when it comes to our personal information. Data protection primarily focuses on protecting our fundamental right to privacy, which takes the centerpiece in all international and regional conventions and laws.

Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed, and stored by “automated” means or intended to be part of a filing system. To empower us to control our information and to protect us from abuses, it is essential that data protection laws restrain and shape the activities of companies and governments. These data centric organizations and institutions have repeatedly proven to the world that unless there are strict regulations in place which safeguard user’s privacy and holds them responsible for their actions, they will endeavor to collect it all, mine it all, save it all and  tell us nothing at all.

A relationship is established by default between a service provider and the user or state & citizen where a service provider collects information from the user, and the state collects information from the citizen. Before the PDP bill, there was no legislative or statutory protection of the users' interests in those relationships. In the case of a service provider and a user of service, this relationship was largely controlled by an ordinary contract law & there was no statutory protection for this relationship protecting the interest of the user.

Till today, there exists a huge power asymmetry between service provider & user. This power asymmetry stems largely because of incomplete and vague information provided to user by the service providers and the information if provided is buried in the fine prints of never-ending terms and conditions . This make the user unable to forecast the harms that are caused by the service provider by violating privacy. For instance, personal data is collected without a limitation of purpose, without telling the user what purpose it needed.

The Information Technology act, 2000 and particularly the reasonable security practices rules came in 2008 are also a part of the history & background of data protection laws in India. However, the contemporary history of data protection laws in India arguably starts with the Adhar case (Justice K.S. Puttaswamy  v. Union of India, 2017). The Adhar program came to be challenged before the Supreme Court between 2012 & 2018 when the Supreme Court passed the final judgment upholding parts of the program and striking down some parts of the Adhar program. 

While the Adhar case was pending, the government made a proposal to the court particularly with the right to privacy reference was made, where the government took a position that Indians had no Fundamental Rights to privacy at all, and not guaranteed under the constitution. The government constituted a committee with retired Supreme Court Judges & other legal experts to draw up & forge the data protection bill.

Any data protection legislation must be based on fundamental principles that have been recognized and evolved over by people working in privacy & data protection laws. The Personal Data Protection Bill, 2019 was introduced in parliament in 2018. The bill establishes a framework to protect people’s personal data from entities that collect & use the data. Soon after its introduction, the bill was referred to a joint parliamentary committee for further examination; the bill places certain obligations on data fiduciaries on those who collect & use data.

 

The specifications of Data Protection Bill, 2019 are following:

 

• Government defined three types of data under the bill:

1. Personal Data- Name address or any other general information of any individual. This personal data can be store and process anywhere without any restrictions and consent by government.
2. Sensitive Personal Data- Gender identity, Health data ,and financial data, etc. Such personal sensitive data will store & process in India only, if it will process outside of India then, service provider or government has to take consent of individual and data protection authority.
3. Critical Personal Data- Data related to national security, armed forces, etc. such data will store & process only in India, there are no exceptions in such data matters.

• Inclusion of Non-Personal data- The bill makes some exceptions defined as non-personal data for obtaining consent. Consent will not be required for events such- Medical emergencies, Legal proceedings or when the government providing a benefit or services to the individuals like, traffic patterns, demographic data, etc.

• Mandatory Social Media Verification- Under this bill government mandate the social media account’s verification and direct social media websites not to entertain any account without valid verification to reduce the personal data hacking and data theft activities from social media accounts.

• Data Protection Authority & DPA officer- There will be a Data Protection Authority under the bill to regulate & oversee the data fiduciaries. It will protect the interest of individuals and ensure no one misuses the individual’s personal data. The permission of the Data Protection Authority by the DPA officer will be required to process any data out of the jurisdiction. Every company will have a Data Protection officer to ensure the compliance of the bill.

• This bill provides portability & access to individuals of their data. It also includes words like, ‘Purpose Limitation’ & ‘Collection Limitation’.

• Inclusion of Right to be Forgotten- Based on the judgment of Justice Puttaswamy case bill includes the Right to be forgotten which states, “ability of an individual to limit, delink, delete or correct the disclosure of the personal information on the internet that is misleading, embarrassing or irrelevant, etc.”.

• Penalty Provisions- If any service provider company which is storing data and not abiding the legislature and any above rule then, bill allude the penalty on such violation.

              1. For any minor violation- 5 crores OR 2% of their global turnover.
              2. Major violation- 15 crore OR 4% of their global turnover.

 

• Data Sovereignty
• It will alleviate the threat of cyber-attacks and mitigate the damages caused due to them.
• There will be less chances of data breach.
• Social media can be free from rumors and fake news in case the verification of accounts is processed in a systematic manner.
• Improve the tax regime.

 

• Reasonable Purposes- It can be perceived as nothing but the undue interference of government in the private life of individuals.
• Cyber-attack’s Encryption - The bill comes with a need for creation of strong wall for encryption of data because, level of encryption decides the vulnerability towards cyber-attack. Hence, without ensuring strong encryption we cannot reduce these attacks.
• Protectionist Policy- This bill can hamper the climate of our economic investment from different countries. It could lead to investors backing out which have data collection as the core of their product or service.
• Startup’s effect- The provisions of PDP bill can hurt our ease of doing business and strain India’s connections with various countries.

 

With today’s technological advancements, the need of the hour is to have a comprehensive and all-round protection of data where every individual is informed of the data shared by his consent to its service provider, the intended usage of this data by the service provider, the security level of the shared data and the repercussions to be encountered if the data is breached. At present, the Information Technology Act, 2000 (the Act) and rules enumerated under it primarily govern data protection of individuals in India. This act was amended in 2008 earlier to meet the rise of cybercrimes in India and help individuals to protect their personal data. However, these amendments are incomplete to deal with the present scenarios. The PDP amendment has added two important provisions that have a strong bearing on data protection laws. These are sections 43A and 72A. But the provisions pertaining to data security and confidentiality are still majorly inadequate and incomplete.

Article 21 of the Constitution guarantees every citizen the fundamental right to personal liberty which includes the right to privacy and by extension private data not available in public domain. This right extends to data in electronic forms and the Information Technology Act, 2000 (“IT Act”) vide Section 66E dealing with punishment for violation of privacy, facilitates protection of such data.

The name of Personal Data Protection Bill, 2019 has changed by the joint parliament committee and now it will be known as Data Protection Bill, 2021. It is currently pending consideration of the Indian Parliament and may undergo significant changes to its current form, based on a report submitted by a Joint Parliamentary Committee. This Bill is expected to come into effect towards the end of this winter session of parliament in 2021.

Data protection laws in India faced many problems and resentments due to the absence of proper legislative frameworks. India being the largest democratic country in terms of population hosts the largest amount of shared data to the service providers and thus is an easy target for cyber-criminals mainly due to lack of proper law and uninformed people in the domain of data privacy. Also, individuals in India face many problems like data theft and misuse due to the deficiency of the Data Protection Statute.

To protect Indian citizens from the breach of data privacy, we not only need a strong legal code of conduct but also an effective cyber force actively preventing and monitoring the privacy breach incidents as well as keeping everyone accountable for their actions. Hence, after several modifications in the Personal Data Protection Bill, 2019 now we are expecting a comprehensive Act fulfilling all the requirements that may pass by parliament in 2021.