Context
- The draft Digital Personal Data Protection Bill 2022 has now been released by the Ministry of Electronics and IT (MeitY), and the government is now asking for public comments and consultations on the bill.
- In this context, this edition of the burning issue will discuss the evolution of privacy bills in India and analyse the current proposed draft data bill.
Why do we need data protection?
- Increasing internet use: India currently has over 750 million Internet users, with the number only expected to increase in the future.
- Data breaches: At the same time, India has among the highest data breaches in the world. Without a data protection law in place, the data of millions of Indians continue to be at risk of being exploited, sold, and misused without their consent.
- Individual privacy: Data monetization may happen at cost of individual privacy. The most sought-after datasets are those that contain sensitive personal data of individuals, ex. medical history, and financial data.
- Lack of writ proceedings against corporate action: Unlike state action, corporate action or misconduct is not subject to writ proceedings in India. This is because fundamental rights are, by and large, not enforceable against private non-state entities. This leaves individuals with limited remedies against private actors.
Background: Evolution of Demand for the data protection
- The journey towards data protection legislation began in 2011 when the department of Personnel and Training initiated discussions on the Right to Privacy Bill, 2011.
- The major fillip to the data protection case was given by the K. Puttuswamy judgment, 2017 where the supreme court held the “Right to privacy” as a fundamental right under Article 21- right to life and personal liberty.
- After the Puttaswamy judgment, the government-appointed B.N Srikrishna committee the drafting of a law for data protection and privacy. This led to the Justice B.N. Srikrishna committee report which later on led to the Personal Data Protection Bill of 2019.
The previous draft Personal Data Protection Bill, 2019
The PDP Bill was introduced in Lok Sabha by the Minister of Electronics and Information Technology in 2019. The Bill seeks to provide for the protection of the personal data of individuals and establishes a Data Protection Authority for the same. Here are the key features:
- Applicability: The Bill governs the processing of personal data by the government, companies incorporated in India and foreign companies dealing with the personaldata of individuals in India.
- Categorization of data– Personal data is data that pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorizes certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
- Data fiduciary and his obligations– A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to a certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purposes.
- Rights of the individual- The Bill sets out certain rights of the individual (or data principal). These include the right to Obtain confirmation from the fiduciary on whether their data has been processed, Seek correction of inaccurate, incomplete, or out-of-date personal data, Have personal data transferred to any other data fiduciary in certain circumstances and Restrict continuing disclosure of their data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data- The Bill allows the processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.
- Data Protection Authority– The Bill sets up a Data Protection Authority which may take steps to protect the interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years of expertise in the field of data protection and information technology.
- Transfer of data outside India– Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
- Exemptions to a government agency– The central government can exempt any of its agencies from the provisions of the Act: In the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states.
What were the issues with the 2019 Bill?
- Power to exemption with the state: The Bill’s expansive exemptions allowed the state to exempt the entire application of the law simply as if it was “expedient” to do so in the interest of national security or public order.
- Powers without accountability: The PDP Bill, 2019 as well as the JPC’s version established a strong regulator (the Data Protection Authority) with a lot of power, but very little independence or accountability.
- Data localisation: The Bill imposed a strong data localisation mandate, requiring companies to store all sensitive personal data and critical personal data (which was not defined) in India.
- Subsuming the personal and non-personal data: The JPC recommended subsuming the regulation of personal data and non-personal data within a single legislation, even though it undermined the Puttaswamy mandate to ensure the protection of personal data.
Latest Draft Digital Data Protection Bill:
The PDP Bill, 2019, prepared by MeitY, was referred to a Joint Parliamentary Committee (JPC) for review. JPC tabled the report of the JPC on the PDP Bill, 2019, as well as the draft Data Protection Bill 2021, in the parliament.
On August 3 this year, MeitY withdrew the 2021 Bill, stating that a more “comprehensive legal framework” will be presented soon. This led to the current DPDP Bill, 2022.
According to an explanatory note for the bill, it is based on seven principles:
- Lawful use: The first is that “usage of personal data by organizations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.”
- Purposeful dissemination: The second principle states that personal data must only be used for the purposes for which it was collected.
- Data minimization: Bare minimum and only necessary data should be collected to fulfill a purpose.
- Data accuracy: At the point of collection. There should not be any duplication.
- Duration of storage: The fifth principle talks of how personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
- Authorized collection and processing: There should be reasonable safeguards to ensure there is “no unauthorized collection or processing of personal data.”
- Accountability of users: The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
Key features of the bill
Data Principal and Data Fiduciary
- The bill uses the term “Data Principal” to denote the individual whose data is being collected.
- The term “Data Fiduciary” the entity (can be an individual, company, firm, state etc.), which decides the “purpose and means of the processing of an individual’s personal data.”
- The law also makes a recognition that in the case of children –defined as all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’
Defining personal data and its processing
- Under the law, personal data is “any data by which or in relation to which an individual can be identified.”
- Processing means “the entire cycle of operations that can be carried out in respect of personal data.”
- So right from collection to storage of data would come under processing of data as per the bill.
Individual’s informed consent
- The bill also makes it clear that individual needs to give consent before their data is processed.
- Every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.
- Individuals also have the right to withdraw consent from a Data Fiduciary.
- The bill also gives consumers the right to file a complaint against a ‘Data Fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.
Language of information
- The bill also ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
- Further, the notice of data collection needs to be in clear and easy-to-understand language.
Significant Data Fiduciaries
- The bill also talks of ‘Significant Data Fiduciaries, who deal with a high volume of personal data.
- The Central government will define who is designated under this category based on a number of factors ranging from the volume of personal data processed to the risk of harm to the potential impact on the sovereignty and integrity of India.
Data protection officer & Data auditor
- Such entities will have to appoint a ‘Data protection officer’ who will represent them.
- They will be the point of contact for grievance redressal.
- They will also have to appoint an independent Data auditor who shall evaluate their compliance with the act.
Right to erase data, right to nominate
- Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
- They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
Cross-border data transfer
- The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.”
- However, an assessment of relevant factors by the Central Government would precede such a notification.
Financial penalties
- The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
- Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore.
- As per the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant.
What distinguishes this bill from its earlier versions?
- Gender neutrality: Significantly, and for the first time in the country’s legislative history, the terms ‘her’ and ‘she’ have been used irrespective of an individual’s gender. This, as per the draft, is in line with the government’s philosophy of empowering women.
- Imbibes best global practices: To prepare it, best global practices were considered, including a review of data protection legislations of Australia, the European Union (EU), Singapore, and a prospective one of the USA.
- Comprehensiveness: The draft has outlined six ‘Chapters’ and a total of twenty-five points. The ‘Chapters’ are: ‘Preliminary,’ ‘Obligations of Data Fiduciary,’ ‘Rights and Duties of Data Principal,’ ‘Special Provisions,’ ‘Compliance Framework,’ and ‘Miscellaneous.’
- Special emphasis for child protection: If personal data is likely to cause harm to a child, its processing will not be allowed.
Positive aspects of the bill
- Widening the scope of data: Narrowing the scope of the data protection regime to personal data protection is a welcome move, as it resonates with the concerns of various stakeholders.
- Harnessing economic potential: Now non-personal data could be used to unlock social and economic value to benefit citizens, businesses, and communities in India with appropriate safeguards in place.
- Doing away with an aggressive push for Data localisation: Relaxing data localisation provisions to notify countries to which data can flow, could aid India in unlocking the comparative advantage of accessing innovative technological solutions from across the globe, which in turn helps domestic companies.
- Free flow of data: In addition, the free flow of data will help startups access cost-effective technology and storage solutions, as our research shows.
- Allowing data transfers: This will also ensure that India is not isolated from the global value chain, helping businesses stay resilient in production and supply chain management and fostering overseas collaboration.
- Introduction of the concept of ‘Deemed Consent’: It enables the processing of the Personal Data of an individual without his/her explicit consent, where it is “reasonably expected that the Data owner would provide such Personal Data”.
Some criticisms of the bill
- Wordplay: There had been the use of open-ended language such as “as necessary” or “as may be prescribed”.
- Govt monopoly: The Bill did not seem to work towards protecting people, but ensured that the government retains all power without any checks or balances.
- Exemption provisions: The government has been given the power to exempt not only government agencies but any entity that is collecting user data, from having to comply with the provisions of this bill when it is signed into law.
- No protection against data breach: The Executive in India has a track record of exploiting to expand its powers. There is no right for compensation to individuals in case of a data breach. They have no right to data portability.
- Appointments to data protection board- The draft law leaves the appointment of the chairperson and members of the Data Protection Board entirely to the discretion of the central government. “While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a central government set-up board.
- Narrow Focus: It is focused on personal data and excludes non-personal data, which was a demand by the industry and civil society alike. It eliminates the categorisation of personal data into sensitive and critical.
Global comparison: What other Nations data laws specify
An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, with Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively, according to data from UNCTAD intergovernmental organisation within the United Nations Secretariat.
EU MODEL
- The GDPR focuses on a comprehensive data protection law for the processing of personal data. It has been criticised for being excessively stringent and imposing many obligations on organisations processing data, but it is the template for most of the legislation drafted around the world.
- There are certain exemptions such as national security, defence, public security, etc, but they are clearly defined and seen as exclusions on the periphery.
US MODEL
- Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is viewed as being somewhat narrow in focus because it enables the collection of personal information as long as the individual is informed of such collection and use.
- The US template has been viewed as inadequate in key respects of regulation. There is no comprehensive set of privacy rights or principles in the US that, like the EU’s GDPR, addresses the use, collection, and disclosure of data. Instead, there is limited sector-specific regulation.
- The approach towards data protection is different for the public and private sectors. The activities and powers of the government vis-a-vis personal information are, however, sufficiently well-defined and addressed by broad legislation such as the Privacy Act, the Electronic Communications Privacy Act, etc. For the private sector, there are some sector-specific norms.
CHINA MODEL
- New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021.
- It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data. The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorized by levels of importance and puts new restrictions on cross-border transfers. The law includes stringent penalties, with fines as high as RMB 50 million, or up to 5% of a company’s turnover in the previous financial year.
Way forward
- Compensation for breach: A provision should be put in place in the law to compensate individuals in the event of a data breach as available in the EU’s GDPR.
- Giving statutory status: to the proposed Data Protection Board for better functioning of the board and reduce executive interference. Appointments to the board should be done through a committee on similar lines to that of NHRC and other bodies.
- More comprehensive: More provisions should be incorporated in the draft legislation rather than leaving it to the Executive to frame provisions.
- Respecting privacy: Rights such as data portability and the right to opt-out of data collection must be included. The right to privacy must be respected which, critics argue, seems to be lacking in this case.