Data Protection Bill: The State Will Monitor The Data, But Who Will Monitor The State?

Note: The Prime Ministerial Brief podcast is now live! Head here to listen and subscribe to the latest episode on issues that young India wants the Prime Minister to pay attention to.

With over 500 billion active web users, an infinite amount of data is generated as well as consumed, in India, literally every passing minute. Such a huge repository of data, without the protection of any legal framework, can lead to catastrophic consequences such as the blatant invasion of an individual’s privacy. Hence, putting data privacy at the centre of public discourse is the need of the hour and the present government rightly did so by introducing the Personal Data Protection Bill 2019, in the Lok Sabha on December 11, 2019.

The Bill, as its name suggests, seeks to provide for the protection of personal data of individuals, along with the establishment of a Data Protection Authority. At present, the Bill is under the scrutiny of a Joint Select Committee of both houses instead of the Standing Committee on Information Technology. Once the committee publishes a report, the Bill will become an Act, only after sailing through both the Houses of the Parliament.

Brief Background Of The Bill:

The Supreme Court of India marked a watershed in August 2017, when it declared privacy as a ‘Fundamental Right’ of Indian citizens, under K.S. Puttaswamy vs. Union of India case. The Court also emphasized that ‘informational privacy’, or the privacy of personal data and facts, is an indispensable aspect of the Right to Privacy.

The conspicuously modified current “draft” confers greater powers on the Data Protection Authority and the central government.

In July 2017, a nine-member committee, headed by retired Supreme Court judge, Justice BN Srikrishna was set up by the Ministry of Electronics and Information Technology to study the issues related to data protection and privacy. The Bill that was approved by the Cabinet on December 4, 2019, and tabled in the Lok Sabha on December 11, 2019, is based on the draft legislation submitted by the committee to the Ministry of Electronics and Information Technology (MeitY) in July 2018.

The present Bill, however, substantially deviates from the recommendations of the committee. The committee suggested considerable changes in the way data is processed in India and included requirements such as localisation of personal data, restrictive conditions for the transfer of personal data, penalties for reckless de-identification of data and the creation of a Data Protection Awareness Fund.

Significantly departing from Committee’s draft, the PDP Bill has introduced new constructs such as consent managers and social media intermediaries. It has conspicuously modified the “draft” by conferring greater powers on the Data Protection Authority and the central government. Moreover, the mechanism for the phased implementation of the provisions of the PDP Bill has also been done away with. Hence, the various provisions of the law will come into force on the dates on which they are notified.

It’s been said that India’s Data Protection Bill seems heavily influenced by the European Union’s General Data Protection Regulation (GDPR), especially many of the consent-related provisions in the Bill share a glaring similarity to those enshrined in the GDPR.

Here Are Some Key Provisions Of The Bill:

  • The Bill explicitly states that the entities must obtain an informed, clear and specific consent of the individual, in order to process their personal data.
  • The government can direct a data fiduciary to get access to non-personal data for providing better services to the citizens. A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
  • Health-related data can be processed without consent and can also be transferred outside India in case of health or emergency services if the government has deemed such transfer to be permissible.
  • The Bill authorizes the central government to allow government agencies to process personal data without prior consent of the individual, under certain circumstances like any function of Parliament or state legislature, compliance with any court judgement, to respond to a medical emergency or a breakdown of public order, purposes related to employment, for reasonable purposes as specified by the DPA.
  • Especially when national security is concerned, certain government agencies can have access to personal data for any investigation pertaining to offences.
  • The Bill envisages setting up a Data Protection Authority to ensure compliance.
  • The Bill places prohibitions on the transfer of personal data abroad. However, the sensitive personal data can be transferred outside India with permission but has to be stored in India only, subject to certain conditions.
  • All the critical personal data will only be processed in India, and the central Government is entitled to notify critical personal data.
  • There is a penalty of ₹5 crores or 2% of the turnover of the concerned company, whichever is higher, for failing to adhere to the provisions of the Bill.
  • The Bill empowers the citizens to seek correction of inaccurate, incomplete, or out-of-date personal data. They can also withdraw their consent, and restrict continuing disclosure of their personal data by a fiduciary, or have the data ported to other fiduciaries.

Pros Of The Bill

  • Presently, much of cross-border transfer of data is regulated and administered by individual bilateral “mutual legal assistance treaties”, and law-enforcement agencies have to undergo a cumbersome process to get access to such data. Data localisation will help the authorities by allowing them easy access to data for investigation.
  • The Bill if turned into an Act, will ensure fewer security breaches in cyber-world, and a decrease in cybercrimes.
  • The cases of fake news are at an all-time high. Rumours that are being spread through social networking sites often lead to terrible consequences like lynchings and even national security threats. The unbridled world of social media and internet within the borders of India can be monitored and kept in check.
  • The Government will be able to ensure better tax compliance by giant online firms.
  • Data sovereignty will be maintained.
  • The Bill foists additional requirements on Data Collectors, such as a requirement to obtain parental or guardian consent if there is a need for the collection of data belonging to children.

Cons of the Bill:

  • Data localisation norm can make India an infeasible market for services, that cannot afford the financial or logistical costs of data localisation. Additional costs incurred by the digital service companies will be passed down to the customers.
  • It can hamper the growth of start-ups by preventing them from expanding globally. The physical storage of data locally isn’t relevant in the current times anyway. Even if the data is stored in the country, the encryption keys may still be inaccessible to the government agencies.
  • The Bill does not define what actually constitutes ‘critical personal data’.
  • Such protectionist measures do not bode well with a globalised and competitive internet marketplace.
  • The Bill in the garb of ‘exemptions’ dilutes protections on individual data rights.
  • Technology giants like Facebook and Google fear that the domino effect of the protectionist policy of the Bill will lead to other countries following suit.
  • Although, localisation of data may protect Indian data from foreign threats, placing the servers within the country will increase the risk of domestic threats due to lack of resources and robust infrastructure.

Recommendations:

Union It and Law minister Ravi Shankar Prasad
Union IT & Law Minster Ravi Shankar Prasad. Image courtesy to Telegraph india.
  • The word privacy has been sparsely used in the document of the Bill. The Preamble of the Bill needs to categorically state that the legislation is for the protection of an individual’s privacy and enforcement of the fundamental right to privacy of all individuals.
  • The Bill should also focus on the creation of robust security infrastructure to ensure the enforcement of the right to privacy.
  • The state will monitor the data, but who will monitor the state? There should be prior judicial review of State access of personal data, and this can be done through a designated court or vesting judicial powers to an independent authority such as the DPA.
  • The Bill needs to define terms such as ‘national security’, ‘public order’ and critical personal data clearly and not leave these terms open-ended and subject to random interpretations.
  • Agencies accessing any personal data should have a data protection officer to make sure that they stick to the law.
  • The Whistleblower protection needs an urgent implementation now more than ever. Every now and then government agencies are being accused of purchasing and misusing data, for which merging of the Whistleblower protection with the Data Protection Bill is necessary.
  • Whenever there is a data breach or unlawful surveillance, the citizens or data subjects should be informed, as it’s their right to be informed.
  • A sensible approach at this stage would be to entirely focus on stakeholder consultations and draft a law based on more detailed discussions and deliberations.

The extensive powers bestowed upon the state by the Bill, to some extent, renders the landmark case K.S. Puttaswamy vs. Union of India meaningless. This phenomenal case culminated into the recognition of privacy as a basic right and therefore connoted to life and liberty. The essence of the judgement must be respected, and privacy should be held pivotal to the Bill.

The Data Protection Bill 2019, is indeed a welcome step, as it is the first such law in the history of the nation, but the legislation in its present form has certain grey areas and ambiguous clauses, which need more clarity from the government.

Similar Posts

A former Assistant Secretary with the Ministry of Women and Child Development in West Bengal for three months, Lakshmi Bhavya has been championing the cause of menstrual hygiene in her district. By associating herself with the Lalana Campaign, a holistic menstrual hygiene awareness campaign which is conducted by the Anahat NGO, Lakshmi has been slowly breaking taboos when it comes to periods and menstrual hygiene.

A Gender Rights Activist working with the tribal and marginalized communities in india, Srilekha is a PhD scholar working on understanding body and sexuality among tribal girls, to fill the gaps in research around indigenous women and their stories. Srilekha has worked extensively at the grassroots level with community based organisations, through several advocacy initiatives around Gender, Mental Health, Menstrual Hygiene and Sexual and Reproductive Health Rights (SRHR) for the indigenous in Jharkhand, over the last 6 years.

Srilekha has also contributed to sustainable livelihood projects and legal aid programs for survivors of sex trafficking. She has been conducting research based programs on maternal health, mental health, gender based violence, sex and sexuality. Her interest lies in conducting workshops for young people on life skills, feminism, gender and sexuality, trauma, resilience and interpersonal relationships.

A Guwahati-based college student pursuing her Masters in Tata Institute of Social Sciences, Bidisha started the #BleedwithDignity campaign on the technology platform Change.org, demanding that the Government of Assam install
biodegradable sanitary pad vending machines in all government schools across the state. Her petition on Change.org has already gathered support from over 90000 people and continues to grow.

Bidisha was selected in Change.org’s flagship program ‘She Creates Change’ having run successful online advocacy
campaigns, which were widely recognised. Through the #BleedwithDignity campaign; she organised and celebrated World Menstrual Hygiene Day, 2019 in Guwahati, Assam by hosting a wall mural by collaborating with local organisations. The initiative was widely covered by national and local media, and the mural was later inaugurated by the event’s chief guest Commissioner of Guwahati Municipal Corporation (GMC) Debeswar Malakar, IAS.

Sign up for the Youth Ki Awaaz Prime Ministerial Brief below