This article aims to provide an original contribution to the Indian data privacy laws by scrutinizing the current legislation affording Indians data privacy protection and different recommendations as laid down by the Justice Srikrishna Commission in various Sections of the draft Personal Data Protection Bill, 2018 and submitted to Ministry of Electronics and Information Technology (MEITY) for approval.
According to the law, personal data means any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly, by reference to an identification number (e.g. Aadhar number) or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Data privacy law protects citizens’ personal information and imposes restrictions as to how companies keep data on them. The lack of comprehensive data privacy and protection laws in a country of 1.3 Billion people is a matter of concern, as recently Facebook has shared 5 lakhs of Indian user account information with Cambridge Analytica without users’ consent.
Overview of Data Protection Laws around the world
Countries all around the world have adopted robust data privacy regulations to afford citizens personal data protection. The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The Data Protection Act,1998 is a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. CNIL (Commission nationale de l'informatique et des libertés) is an independent administrative French authority that exercises its functions with accordance to the French Data Protection Act 1978 and in the link < https://www.cnil.fr/en/data-protection-aroundthe-world> the data protection and privacy rights afforded to citizens of different countries in the world can be accessed.
Currently India does not have a specific legislation dealing with data privacy and protection. The different legislations such as Section 79, 65 and 66 of Information Technology Act 2000, Section 403 of the India Penal Code, Section 63B of the Indian Copyright Act and Credit Information Companies Regulation Act, 2005 afford data privacy and protection. The right to privacy has been recently recognised as a fundamental right emerging primarily from Article 21 of the Constitution, inJustice K.S. Puttaswamy (Retd.) v. Union of India. The biggest drawback of the current data protection laws is the lack of enforceability.
The recommendations by Srikrishna committee for a comprehensive Data Protection Act is step in positive direction to safeguard right to privacy of all Indian citizens. It recommends a comprehensive Personal Data Protection Bill, 2018 (PDP) and the draft for the Bill has been released.
Draft Personal Data Protection Bill, 2018 (PDP)
This Bill covers various aspects like jurisdiction within and outside India, definition of personal data, data fiduciaries and their obligation to protect data, standard consent and processing of data, non-consent-based processing, persons right over data, transparency and accountability required by a data fiduciary.Section 49 of the Bill requires setting up of Data Protection Authority (DPA) and it confers wide range of powers in the enforcement of the Bill to ensure accountability and transparency.
Section 2(1) of the Bill covers the territorial scope of jurisdiction as such it applies to personal data processed in India and Section 2(2) covers the extra territorial jurisdiction i.e. it applies to data fiduciary or a processor processing personal information of Indian citizens in a foreign country. The latter is mainly derived from Article 3(2) of the GDPR. The definition of jurisdiction given by this Section is quite comprehensive and it also empowers Indian courts to deal with foreign entities who misuse our data like Cambridge Analytica in the future.
Personal Data under the bill
This Act gives a broad definition to personal data in Sections 3(29), 40(1), 3 (35), 106 which includes a broad range of identifiable/ nonidentifiable personal data, data mirroring, sensitive personal data, financial records, health records, biometric data and critical personal data. The critical personal data defined by the Act includes biometrics, Aadhaar card, genetic data. This also covers the geolocation of army personal as critical personal data as to prevent another Smeshapp incidentwhere Pakistan spied on Indian Military Personnel using an App from the Play Store in 2016.
Section 3 of the Personal Data Protection Bill, 2018 includes state, company or individual in the definition of data fiduciary and data processor. Section 4 of the Bill states that a fiduciary relationship exists between an individual and data processor and that the data must be processed in a fair, reasonable and lawful manner. The Bill also dilutes the privacy rights of individuals by allowing non- consent-based data processing for certain entities like Aadhar and by allowing the data to be processed for research, analytical and research purposes by Section 45. Although there is non-consent-based exception for data processing, the bar set for the consent on data processing is very high. The Bill also introduces age verification and parental consent for data processing of minors and explicit consent for sensitive personal data. The mention of Indian Contract Act in the interpretation of consent between the parties would have made the application of provisions of the Act clearer.
The non-consensual grounds for data processing are given in the Sections 13,14, 15, 16, 17,19, 20 and 21. The exemption to consent is given in Sections 42-48 of the Bill which includes exemptions like security of the Sate and disclosure for legal proceedings. Sections 24-30 discusses about the rights afforded to a person over his data. There are key rights like right to erasure, right to restrict and object processing missing in this Bill which are found in GDPR.
Data Protection Authority (DPA)
Data Protection Authority of India established under Chapter X of this Act. The authority constitutes of a chair person and 6 full time members appointed by Central Government’s select committee. It is the duty of the authority to protect the interests of data principals, prevent any misuse of personal data ensure compliance with the provisions of this Act, and promote awareness of data protection. Section 60(2) gives a comprehensive list of all the powers conferred on DPA by the Act. In the matters prescribed under Section 60 (3) DPA will have the same power as a civil court under the Code of Civil Procedure, 1908. The power of the authority to issue codes of practice is detailed in Section 61. Section 62-66 gives the authority the power to issue directions, call for information, conduct inquiry, and search and seizure. Section 68 creates separate adjudication wing for imposing penalties and awarding compensation.
The Bill lays down penalties under Chapter XI for breach of the data protection provisions prescribed by the Act. Section 69(1) prescribes penalties for the breach of obligations as “Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher”. Section 69 (2) prescribes penalties for the breach of personal data processing provisions as “Where a data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher”.
Establishment of Appellate Tribunal
Under S 79 the central government shall establish an appellate tribunal to hear and dispose of any appeal from an order of the Adjudicating Officer or any other appeals as mentioned in the Section. Section 84 outlines the process and procedure for filing an appeal or application to appellate tribunal. Under Section 85 (1) the appellate tribunal is not bound by the procedure laid down by the Code of Civil Procedure, 1908 and is bound by the principle of natural justice. Under Section 85 (2) the tribunal shall the same powers as a civil court under the Code of Civil Procedure,1908 while trying a suit for matters mentioned in the Section.
Appellate Tribunal shall be deemed to be a civil court for the purposes of Section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973 (2 of 1974). Under S 86 an order passed by the Appellate Tribunal under this Act shall be executable by the Appellate Tribunal as a decree of civil court.
Appeal to Supreme Court
The power to appeal against the decision of appellate tribunal to Supreme Court is granted under Section 87, with a limitation period of 90 days which can be extended subjected to judicial discretion. Right to legal representation is granted under Section 88.
Bar on civil suits
Under Section 89 no civil courts have the right to entertain a suit or proceeding or grant an injunction in respect to any proceedings which were being conducted under the power granted by this Bill to appellate tribunal.
Sections 90-96 outline the offences under this Act. Section 90 makes it an offence to obtain, transfer or sell personal data contrary to the Act and if significant harm occurs to data principal, such person shall be punishable with imprisonment for a term not exceeding three years or shall be liable to a fine which may extend up to rupees two lakh or both.
Section 91 makes it an offence to obtain, transfer or sell personal data contrary to the Act and if harm occurs to data principal, such person shall be punishable with imprisonment for a term not exceeding five years or shall be liable to a fine which may extend up to rupees three lakh or both.
Section 93 contemplates the offences under this Act as cognizable and non-bailable. Section 92 makes re-identification and processing of deidentified personal data without the consent of data processor a criminal offence punishable with imprisonment for a term not exceeding three years or shall be liable to a fine which may extend up to rupees two lakhs or both. Section 95 deals with the offences by companies and Section 96 deals with offences by central and state governments.
Potential overlap with current legislation
The Committee has identified a list of 50 statutes and regulations which have a potential overlap with the data protection framework. Concerned ministries may take note of this and ensure appropriate consultation to make complementary amendments where necessary.
How Can the bill be improved?
The derogations set out in the non-consent-based data processing specifically the ones in which the government does not require the consent of the data personal when the security of the state is under threat should be limited to prevent mass surveillance. The act should be in accordance with the GDPR set out by the EU as it will afford more international companies to set up their data processing centres in India as the GDPR permits the data processing centre to be set up and operate in a foreign jurisdiction if proper norms are adhered to. As Sridhar Acharyulu from Central information commission has said the Justice Srikrishna panel's recommendations may render the Right To Information (RTI) Act "absolutely useless in securing access to public records pertaining to public servants" as definition of personal data, harm, mental injury and loss of reputation may be used to reject all RTI pleas, the concerns should be addressed in the final version of the Bill.
The Personal Data Protection Bill, 2018 is loosely based on GDPR and the U.K.’s Data Protection Bill 1998. There are many welcoming recommendations by Srikrishna committee to the central government such as setting up of DPA and appellate tribunal. The PDP final draft should confer more rights to the data personal and make it easier for them to bring appeal to the tribunal.
-  (GDPR) (EU) 2016/679
-  (2017) 10 SCC 1
Click here to register for the event - Legal Tech Fair at New Delhi