Is personal data protection bill, 2019 the answer to all your privacy concerns?

KEY TAKEAWAYS

• The Personal Data Protection Bill once passed will be responsible for protection of personal data of individuals from unauthorized data processing, and will repeal section 43A of the Information Technology Act, 2000.
• Many amendments have been made to the 2018 bill including removal of 'Passwords' from the sensitive data category.
• The Bill along with its advantages also has certain shortcomings such as an almost unrestricted access to all data granted to the government.
• The Bill has also established a Data Protection Authority along safeguards and penalties to ensure compliance with the bill.

WHAT IS PERSONAL DATA?

Personal Data has been defined in Clause (2) of the Personal Data Protection Bill, 2019 (hereinafter referred to as the PDP Bill). It states that 'Personal Data' is data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;'. In essence, personal data is any information online or offline, that relates to an identified or identifiable living individual.

Click here to enroll masterclass on - The IBC - Theory, and Practice by Adv. Amrita Kharkar

SIGNIFICANCE OF PERSONAL DATA PROTECTION LAWS

To understand the importance of protection of personal data, we need to appreciate the power of 'data' in today’s digital economy. In this era, whatever personal information that a subject may disseminate online and offline, all such information is processed and analysed by various agencies that we may or may not be aware of. This processed information is then converted into usable data in the form of health information, geolocation information, financial information, professional/employment related information, and the likes. Therefore, the likelihood of misuse of such information is high and not only should the public be wary of what they disclose, but it also becomes the duty of the Government to protect citizens from data frauds and misusage.

As per the introduction of the PDP Bill, the purpose of this Act is to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data; create a relationship of trust between persons and entities processing the personal data; protect the rights of individuals whose personal data are processed, etc. Furthermore, the Act seeks to increase accountability of entities harmfully processing data in an unauthorized manner and to establish a Data Protection Authority of India for the said purposes.

DEVELOPMENT OF DATA PROTECTION LAWS IN INDIA

Hitherto (before the PDP Bill) India did not have a specific legislation enacted primarily for data protection. India’s regulatory mechanism for data protection and privacy is the Information Technology Act, 2000 ('the IT Act').

Section 43A of the IT Act creates a liability on a body corporate which possesses, deals or handles any sensitive personal data or information, if there is any wrongful loss or wrongful gain to any person caused because of the negligence in implementing and maintaining reasonable security practices and procedures to protect the information of the person affected. In Addition to this, section 72A of the IT Act provides for punishment in case of any person who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent of causing or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned.

Furthermore, personal data is also protected under Article 21 of the Indian Constitution which guarantees to every citizen, the Right to Privacy as a fundamental right (held in Justice K.S Puttaswami & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012).

However, these existing laws had certain shortcomings. The IT Act was not enacted with the primary intent of providing data protection and hence the scope and applicability of the provisions of the IT Act on Data Protection is very narrow.

Therefore, a committee under Retd. Justice B N Srikrishna was then constituted to propose a draft statute on data protection. The Government of India has issued the Personal Data Protection Bill 2018 based on the recommendations of the committee. The bill was subsequently amended multiple times and the final draft of India's Personal Data Protection Bill, 2019, will include 89 amendments, one new clause and two new amendments in the Schedule (the annexure to the main Bill). This Bill, if successfully passed by both the houses, will be India’s first legislation on the protection of personal data. The current PDP Bill once passed would be repealing section 43A of the IT Act 2000.

SALIENT FEATURES OF THE PDP BILL

1. The PDP Bill standardizes three categories of data - Personal Data, Sensitive Personal Data, and Critical Personal Data. Sensitive personal data includes financial data, health data, religious or political beliefs, etc.

'Passwords' have been removed from the list of sensitive personal data listed in the latest draft of the bill.

2. The PDP Bill confers upon a user the right to be forgotten, i.e., to stop their data from being disseminated if the purpose of data collection has been served, if the user withdrew consent, or the data was disclosed illegally.
3. The PDP Bill establishes a Data Protection Authority of India which shall take steps to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote awareness about data protection.
4. The PDP Bill recommends that the data fiduciaries may process the relevant data only if consent is provided by the individual. However, there are certain exceptions provided under which Personal Data can be processed without consent such as if the data is required by the State for providing benefits to the individual, the data concerns legal proceedings, the data is for response to a medical emergency, the data is employment related, etc.
5. The data fiduciaries are required to institute certain measures to ensure transparency and accountability such as preparation of privacy policy, ensuring transparency in processing personal data; implementing security safeguards; informing the Authority of any breach of any personal data, etc.
6. The PDP Bill also mentions penalties for non-compliance with the PDP legislation. Failure of the data fiduciary to fulfill its obligations for data protection may be punishable with a penalty which may extent to Rs 5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.

LOOPHOLES AND SHORTCOMINGS

1. Manifold relaxations to Government:

The present PDP bill is lucidly rigorous for private stakeholders and companies, however the capacity of exemptions for the government is quite palpable on a preliminary reading of the Bill.

2. Dubious independence of the Data Protection Authority:

The PDP Bill reduces the powers and independence of the DPA by significantly weakening the commission that will appoint the chairperson and members. In the revised draft, the DPA is comprised of a chairperson and six whole-time members. All these members will be appointed on the basis of recommendations made by a selection committee that consists of Cabinet Secretary and Secretaries in-charge of Legal Affairs, and Electronics and IT. The DPA, thus, will be appointed by the executive branch of the government.

3. Data-Localisation not conducive from cross-border perspective

The Bill states that while sensitive and critical data can be processed outside the country, it must be stored in India. Such data-localisation and mirroring requirements, along with exemptions for the government and a DPA that is not independent, mean that other territories, such as the European Union, will not deem India adequate from a cross-border data transfer perspective. That will hamper processing activities that are outsourced to India.

SUGGESTIONS

1. It is submitted that neither should government agencies have unlimited access to data, nor should private companies have access to government data without clear safeguards. Hence, there ought to be coherent safeguards to limit the data that can be accessed by the government in the name of national security.
2. Furthermore, it is also suggested that along with establishment of relevant legislations for data protection, a culture of awareness or 'cyber hygiene' must be extended where both the government and the citizens of India take steps in making people aware of sensitive data leakages, possible ways in which it can be abused, and how they can take charge of protecting it.

CONCLUSION

The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual. The Personal Data Protection Bill 2019 after being passed in Loksabha has become highly debated on account of what it protects and what has been missed from the Bill. The Bill brings about a much needed centralization to the data protection laws in India, but is still far from perfect. In order to truly bring about data privacy and protection, the laws must be applied uniformly throughout while also emphasizing on the need to educate citizens about being aware and vigilant about their personal data.