Data Protection Bill: The State Will Monitor The Data, But Who Will Monitor The State?

With over 500 billion active web users, an infinite amount of data is generated as well as consumed, in India, literally every passing minute. Such a huge repository of data, without the protection of any legal framework, can lead to catastrophic consequences such as the blatant invasion of an individual’s privacy. Hence, putting data privacy at the centre of public discourse is the need of the hour and the present government rightly did so by introducing the Personal Data Protection Bill 2019, in the Lok Sabha on December 11, 2019.

The Bill, as its name suggests, seeks to provide for the protection of personal data of individuals, along with the establishment of a Data Protection Authority. At present, the Bill is under the scrutiny of a Joint Select Committee of both houses instead of the Standing Committee on Information Technology. Once the committee publishes a report, the Bill will become an Act, only after sailing through both the Houses of the Parliament.

Brief Background Of The Bill:

The Supreme Court of India marked a watershed in August 2017, when it declared privacy as a ‘Fundamental Right’ of Indian citizens, under K.S. Puttaswamy vs. Union of India case. The Court also emphasized that ‘informational privacy’, or the privacy of personal data and facts, is an indispensable aspect of the Right to Privacy.

In July 2017, a nine-member committee, headed by retired Supreme Court judge, Justice BN Srikrishna was set up by the Ministry of Electronics and Information Technology to study the issues related to data protection and privacy. The Bill that was approved by the Cabinet on December 4, 2019, and tabled in the Lok Sabha on December 11, 2019, is based on the draft legislation submitted by the committee to the Ministry of Electronics and Information Technology (MeitY) in July 2018.

The present Bill, however, substantially deviates from the recommendations of the committee. The committee suggested considerable changes in the way data is processed in India and included requirements such as localisation of personal data, restrictive conditions for the transfer of personal data, penalties for reckless de-identification of data and the creation of a Data Protection Awareness Fund.

Significantly departing from Committee’s draft, the PDP Bill has introduced new constructs such as consent managers and social media intermediaries. It has conspicuously modified the “draft” by conferring greater powers on the Data Protection Authority and the central government. Moreover, the mechanism for the phased implementation of the provisions of the PDP Bill has also been done away with. Hence, the various provisions of the law will come into force on the dates on which they are notified.

It’s been said that India’s Data Protection Bill seems heavily influenced by the European Union’s General Data Protection Regulation (GDPR), especially many of the consent-related provisions in the Bill share a glaring similarity to those enshrined in the GDPR.

Here Are Some Key Provisions Of The Bill:

• The Bill explicitly states that the entities must obtain an informed, clear and specific consent of the individual, in order to process their personal data.
• The government can direct a data fiduciary to get access to non-personal data for providing better services to the citizens. A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
• Health-related data can be processed without consent and can also be transferred outside India in case of health or emergency services if the government has deemed such transfer to be permissible.
• The Bill authorizes the central government to allow government agencies to process personal data without prior consent of the individual, under certain circumstances like any function of Parliament or state legislature, compliance with any court judgement, to respond to a medical emergency or a breakdown of public order, purposes related to employment, for reasonable purposes as specified by the DPA.
• Especially when national security is concerned, certain government agencies can have access to personal data for any investigation pertaining to offences.
• The Bill envisages setting up a Data Protection Authority to ensure compliance.
• The Bill places prohibitions on the transfer of personal data abroad. However, the sensitive personal data can be transferred outside India with permission but has to be stored in India only, subject to certain conditions.
• All the critical personal data will only be processed in India, and the central Government is entitled to notify critical personal data.
• There is a penalty of ₹5 crores or 2% of the turnover of the concerned company, whichever is higher, for failing to adhere to the provisions of the Bill.
• The Bill empowers the citizens to seek correction of inaccurate, incomplete, or out-of-date personal data. They can also withdraw their consent, and restrict continuing disclosure of their personal data by a fiduciary, or have the data ported to other fiduciaries.

Pros Of The Bill

• Presently, much of cross-border transfer of data is regulated and administered by individual bilateral “mutual legal assistance treaties”, and law-enforcement agencies have to undergo a cumbersome process to get access to such data. Data localisation will help the authorities by allowing them easy access to data for investigation.
• The Bill if turned into an Act, will ensure fewer security breaches in cyber-world, and a decrease in cybercrimes.
• The cases of fake news are at an all-time high. Rumours that are being spread through social networking sites often lead to terrible consequences like lynchings and even national security threats. The unbridled world of social media and internet within the borders of India can be monitored and kept in check.
• The Government will be able to ensure better tax compliance by giant online firms.
• Data sovereignty will be maintained.
• The Bill foists additional requirements on Data Collectors, such as a requirement to obtain parental or guardian consent if there is a need for the collection of data belonging to children.

Cons of the Bill:

• Data localisation norm can make India an infeasible market for services, that cannot afford the financial or logistical costs of data localisation. Additional costs incurred by the digital service companies will be passed down to the customers.
• It can hamper the growth of start-ups by preventing them from expanding globally. The physical storage of data locally isn’t relevant in the current times anyway. Even if the data is stored in the country, the encryption keys may still be inaccessible to the government agencies.
• The Bill does not define what actually constitutes ‘critical personal data’.
• Such protectionist measures do not bode well with a globalised and competitive internet marketplace.
• The Bill in the garb of ‘exemptions’ dilutes protections on individual data rights.
• Technology giants like Facebook and Google fear that the domino effect of the protectionist policy of the Bill will lead to other countries following suit.
• Although, localisation of data may protect Indian data from foreign threats, placing the servers within the country will increase the risk of domestic threats due to lack of resources and robust infrastructure.

Recommendations:

• The word privacy has been sparsely used in the document of the Bill. The Preamble of the Bill needs to categorically state that the legislation is for the protection of an individual’s privacy and enforcement of the fundamental right to privacy of all individuals.
• The Bill should also focus on the creation of robust security infrastructure to ensure the enforcement of the right to privacy.
• The state will monitor the data, but who will monitor the state? There should be prior judicial review of State access of personal data, and this can be done through a designated court or vesting judicial powers to an independent authority such as the DPA.
• The Bill needs to define terms such as ‘national security’, ‘public order’ and critical personal data clearly and not leave these terms open-ended and subject to random interpretations.
• Agencies accessing any personal data should have a data protection officer to make sure that they stick to the law.
• The Whistleblower protection needs an urgent implementation now more than ever. Every now and then government agencies are being accused of purchasing and misusing data, for which merging of the Whistleblower protection with the Data Protection Bill is necessary.
• Whenever there is a data breach or unlawful surveillance, the citizens or data subjects should be informed, as it’s their right to be informed.
• A sensible approach at this stage would be to entirely focus on stakeholder consultations and draft a law based on more detailed discussions and deliberations.

The extensive powers bestowed upon the state by the Bill, to some extent, renders the landmark case K.S. Puttaswamy vs. Union of India meaningless. This phenomenal case culminated into the recognition of privacy as a basic right and therefore connoted to life and liberty. The essence of the judgement must be respected, and privacy should be held pivotal to the Bill.

The Data Protection Bill 2019, is indeed a welcome step, as it is the first such law in the history of the nation, but the legislation in its present form has certain grey areas and ambiguous clauses, which need more clarity from the government.