In the age where humans are becoming digital, in an era where algorithms through our data know us more than we know ourselves, in a time where democracy is not about human rationality but all about human emotions and how easily they can be manipulated by data and in the generation where data has become the ultimate puppeteer- one who owns the data is the ultimate king of the world.
India is home to the largest population in the world, and is thus one of the most data extensive countries with an expanding domestic market. A simple exercise of buying a sweater from market generates immense data and is then processed in terms of color, fabric and price range customers choose. Have you ever wondered how a simple google search surrounds you with a cobweb of related suggestions? All this data, more often than not is hitherto processed without consent. Now imagine the catastrophic results when our sensitive personal data, namely biometrics, financial information, health information, sexual orientation is processed without our consent and utilized for a purpose unknown to us. Currently, all such data is regulated by IT Rules, 2011 under IT Act 2000 which has gone obsolete owing to the technological advancement and data explosion.
The Supreme Court of India through its 9 judge bench in Puttaswamy Case declared Right to Privacy a Fundamental Right under Article 21 which led to formation of Justice Srikrishna Committee responsible for giving guidelines for the protection of personal data which ultimately transcended into Data Protection Bill 2019 that was introduced in parliament on December 11 by Union IT Minister Ravi Shankar Prasad. The bill places certain obligations on entities processing personal data and gives rights to individuals whose data is processed. It also establishes the Data Protection Authority for regulatory and administrative purposes.
The bill provides a framework for protection of individual data, sensitive personal data and critical data by defining them and envisages that critical personal data of the citizens is kept in the country so that individuals have more control on how the data is used but also provides for parallel exceptions which may pose as major loopholes in future. It bars storing and processing of personal data by entities without the explicit consent of an individual subject to certain exceptions. The bill, it seems balances individual interest with respect to economic interest of the country, but is couched in such vague terms that it leaves the bill in wiggle room and raises concerns whether it will efficiently safeguard individuals or make them more vulnerable?
The bill, on one hand makes individuals owners of their data, giving them the right to access it and correct it, right to data portability and right to be forgotten by making obligatory provisions for both data entities and data fiduciaries. They will have to make proper procedure regarding encryption with special attention on data related to children which cannot be processed without parental consent, social media fiduciaries must provide for voluntary user verification mechanism, grievance redressal mechanism failing which may attract penalties up to Rupees 15 crore or 4% of annual global turnover whichever is higher. Re-identification and processing without consent may attract 3 years imprisonment or fine or both.
But on the other hand, the bill also bestows upon the central government blanket power to access citizen’s data with exemptions that have a wide ambit and are against the principle of transparent data processing. All types of data can be utilized by the data entities without consent of individuals for reasonable purposes such as national security, public order, maintaining friendly relations with foreign countries whistle-blowing, credit scoring, research, and archiving, statistical purposes. The Centre can also exempt government authorities from following the provisions of this act if deemed fit. This ambiguous language leaves the bill exposed to major defects which may defeat the purpose of the entire legislation as the government itself is the largest owner of data and without safeguards in place data is furthermore prone to misuse.
While there are lots of similarities between this bill and European GDPR which has become a common noun for data protection laws all over the world, as concerns related to human data are universal in nature but the ambiguous language of the bill dilutes the objective. Effective data privacy and personal information protection are the foundational pillars for developing an individual’s trust in the digital economy and the consultative process in the Parliament must transform the double-edged sword bill into a robust Act that is interoperable with international practices and lead to increased data transparency.