- ‘Data protection’ as a concept emerged in postwar Europe, and can be understood as one's expression of the desire to safeguard an individual’s family and personal life.
- Its legal basis can be traced back to the UN Human Rights Declaration of 1948, which included the Right to Privacy.
- The increasing use of computers for Business transactions, led OECD to issue guidelines on Data Protection 1980.
- The European Union in 1995, became the nerve centre of data protection in 1995, when they created European Data Protection Directive.
Today, as reliance on machines increase, more than 130 countries now have data protection regulations in some form to tackle the quagmire of data ecosystems. In this regard, we shall delve deeper into the matter and understand why there is a need to amend and contemporize the data protection legislation in India.
Present Scenario in India
- The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha during the Winter session of 2019. It was then referred to a joint parliamentary standing committee (JPC) for review.
- The 30-member JPC has proposed multiple amendments to the bill. This was a result of a lengthy deliberation process — the highest for any bill till now.
- This highlights the complexities involved in the subject and its current importance.
- The amended bill is expected to be tabled in the ongoing (2021-22) budget session.
Data and its protection
- Data is factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation.
- Data can be broadly classified into two types: personal and non-personal data
- Personal data: The Personal Data Protection Bill, 2019 defines Personal data pertains to characteristics, traits, or attributes of identity, which can be used to identify an individual.
- Non-personal data:
- A Committee of Experts, constituted by MEITY, to devise framework for regulation of Non-Personal Data (NPD), defines NPD as data that either:
- never related to an identified or identifiable natural person; or
- is sourced from personal data (PD), i.e. it is data which was initially personal but was later aggregated and made anonymous.
Based on this definition, the Committee has broadly categorised NPD into the following:
- Public NPD - collected or generated by the government or in the course of publicly funded work and excluding data that is treated confidentially under any law.
- Private NPD - collected or produced by persons or entities other than the governments. This would therefore include any and all data that is collected by private entities that it is not Community NPD.
- Community NPD - whose source or subject is a community, i.e. a group of people that are bound by common interests and purposes and involved in social/economic interactions, including entirely virtual communities. This may include data collected by the municipal corporations, public electric utilities etc.
- Data protection refers to policies and procedures seeking to minimize intrusion into the privacy of an individual caused by the collection and usage of their personal data.
How Data is handled?
- Data Principal is an individual or entity who is responsible for generation of the data.
- Data is collected and handled by entities called data fiduciaries.
- While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
- The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
Why data has become so important?
- Convincing way of advertising: Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to you online.
- Volume:The amount of data is immense, which means wider coverage or reach
- New products and services.With the ability to gauge customer needs and satisfaction through analytics comes the power to give customers what they want.
Need for data protection
- Wide coverage, more risk: With a population of over a billion, there are about 500 million active web users and India’s online market is second only to China.
- To protect individual’s privacy: Data protection is then needed to protect the Right to Privacy, guaranteed under Article 21 of Constitution, of Indian citizens.
- To protect national sovereignty: The future of economy and law enforcement can be seen to be highly dependent on data and its analysis, thus its proper use becomes important to protect National Sovereignty.
- To save lives: Recent news of instant money lending applications harassing—calling family and friends after gaining access to contacts, publishing morphed photographs accessed from phone gallery—and publicly shaming defaulters have resulted in multiple suicides, which is peak harm.
- To stop ‘risky’ influencing: It is important to restrict use of data by data colonising companies such as Facebook, Whatsapp. Data Colonisation is basically a monopoly of few companies over data of the public at large.
- For example in the Cambridge Analytica Scandal the personally identifiable information of up to 87 million Facebook users was collected. This data was then allegedly used to attempt to influence voter opinion.
- To stop leakages, blackmails and extortion: As India lacks a Data protection Act, it has faced leakages, blackmails and extortions at a higher frequency than other countries.
- For example, recently a German cyber security firm reported that the medical details of many Indian patients were leaked and are freely available on the Internet. Such information has the potential to be mined for deeper data analysis and for creating profiles.
How is personal data regulated currently?
- Currently, the usage and transfer of personal data of citizens are regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000.
- Under the rules, companies using the data are liable for compensating the individual, in case of any negligence.
- However, the current rules have some shortcomings:
- The definition of sensitive personal data under the rules is narrow
- Some of the provisions can be overridden by a contract
- IT Act applies only to companies, not to the government
- With the current pace of development of the digital economy, the time has come for India to contemporize data protection legislation.
- Personal data protection bill was an effort in this direction
Background on Personal Data Protection Bill, 2019 (PDP Bill)
- In 2017 the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution.
- SC also observed that the privacy of personal data and facts is an essential aspect of the right to privacy
- Following which a Committee of Experts, chaired by Justice B. N. Srikrishna was set up to examine various issues related to data protection in India.
- Based on the committee’s recommendations, the PDP bill, 2019 was introduced in the Parliament.
- The Bill seeks to:
- Provide for the protection of personal data of individuals
- Create a framework for processing such personal data
- And establish a Data Protection Authority for the purpose
- The Bill governs the processing of personal data by (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with the personal data of individuals in India
Provisions of the current PDP Bill
- Applicability - The Bill governs the processing of Personal Data by -
- Companies incorporated in India
- Foreign Companies dealing with personal data of individuals in India
- Classification (personal data): The Bill classifies Personal data into three categories:
- Sensitive data constitutes or is related to passwords, financial data, health data, official identifier, sexual orientation, religious or caste data, biometric data and genetic data. It may be processed outside India with the explicit consent of the user.
- Critical data will be characterised by the government every once in a while, and must be stored and handled only in India.
- General data: Any data that is non-critical and non-sensitive is categorised as general data with no limitation on where it is stored or managed.
- Provides for obligations of Data fiduciary:
- Data Fiduciary is an entity or individual who decides the means and purpose of processing personal data.
- Bill establishes that all Data fiduciaries must take transparency and accountability measures - i) implementing data security measures like encryption and ii) constitute grievance redressal mechanisms.
- Rights (of individual): The bill mentions certain Rights of the individual (data principal), which include:
- obtain confirmation from the fiduciary on whether their personal data has been processed
- seek correction of inaccurate, incomplete, or out-of-date personal data
- have personal data transferred to any other data fiduciary in certain circumstances
- restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn
- Personal Data can be processed by data fiduciaries only after consent of the concerned individual. But in certain cases like, if required by the State to provide benefits to individual, legal proceedings and medical emergencies, the data can be processed even without consent.
- The bill defines social media intermediaries as those intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries having a user base above a certain threshold, that can influence electoral democracy, have certain extra obligations.
- The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill.
- The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
- The central government can exempt any of its agencies from the provisions of the Act
Concerns raised by Joint Parliamentary Committee
- The concerns regarding the bill raised by the JPC is centered around the following five aspects:
- the government’s powers to access citizen data without consent
- inclusion of non-personal data in the new law
- the absence of judicial participation in selecting the head of the regulatory body (i.e. Data Protection Authority)
- whether data should be localized in India
- verification of social media users
Concerns regarding the government’s powers to access citizen data without consent:
- Section 35 of the bill allows the Centre to exempt its agencies from some or all provisions of the bill for national security and public order
- This provision can be misused by the government authorities
Concerns regarding the inclusion of non-personal data in the bill:
- The proposed law allows the Central government to seek any anonymized or non-personal data from companies for policy making.
- However, mandatory sharing of non-personal data can have unintended consequences such as violation of proprietary rights of businesses, privacy risks, and discouraging business innovation and growth
Concerns on data-localization:
- N. Shrikrishna report suggested that the data fiduciaries should be required to maintain a copy of all personal data in India
- However, the 2019 Bill does not provide any localization or data transfer restrictions for personal data that is not considered sensitive or critical.
- In this regard let us examine positive and negative aspects of data localization.
- The recent incident where Israeli malware Pegasus, hacked Whatsapp accounts of 121 Indians, helped make a strong case in favour of Data Localization. As data security can be ensured if it is localized and this eventually preserves National sovereignty.
- India can become a hub of innovation and capitals of data processing if a data protection regime is in place
- Indian engineers along with the enormous data are fantastic resources for a big technology revolution, this will give a boost to domestic industries.
- It will help law-enforcement agencies to easily access data for investigation.
- Strict regulations can push India out of global value chains involving cross-border data flows. For example, it can impact India’s flourishing IT-BPO sector.
- As of now, the flow of cross boundary data is controlled by Bilateral - ‘mutual legal assistance treaties’. Convincing so many countries will be cumbersome.
- Therefore, localization can address some concerns but seeing it as a panacea to privacy and strategic concerns can be counterproductive in the long run.
Concerns regarding verification of social media users:
- The Bill 2019 has brought the social media intermediaries within its purview.
- The social media intermediary which may be notified as a significant Data Fiduciary by the Central Government will be required to allow its users to verify their accounts voluntarily
- These notified social media intermediaries will also be subject to audit by an independent data auditor.
- This will increase the compliance burden of social media businesses and negatively impact the ease of doing business objectives.
The JPC has reviewed all the above-discussed concerns regarding the bill and has recommended 89 amendments and 1 new clause in the final draft. However, there are few concerns which still remain unanswered.
- The bill exempts data processors from following any obligation for processing the personal data of foreigners received from clients abroad.
- This could potentially result in the mushrooming of a “sinister” data processing industry that runs on unsanctioned processing and abuse of personal data of foreigners.
- The current bill does not provide effective means or remedies to users against the collection and processing of personal data by foreign government agencies either directly or through the private sector.
- High compliance costs coupled with the provision of heavy fines could hamper the growth of MSMEs, which are already reeling under pressure.
- In this regard, the government can help by providing open-source tools for data processing management to registered Indian MSMEs, like GSTN offers free accounting and billing software.
- Lastly, the bill does not address some open-ended questions. Like, what happens to:
- data with apps that are banned (like TikTok)
- Data with companies that get dissolved
- personal data after an individual’s demise
Committee of Experts on Non-Personal Data
- The Committee was set up by the Ministry of Electronics and Information Technology (MEITY) to devise regulation for Non-personal Data.
- The Committee released its report (Report) on 12 July 2020 for public consultation/feedback.
- Rationale - Data has an economic and social value, and today it has got concentrated in the hands of a few companies who have become monopolies in the absence of any regulation. The introduction of an NPD framework is aimed at catalysing data companies such that the welfare of all relevant stakeholders is maximised.
- The Committee has defined Sensitive NPD, which is NPD that may relate to (i) national security or strategic interests such as vital infrastructure; (ii) business sensitive or confidential information; or (iii) anonymised data, that bears a risk of re-identification.
- The Committee has identified key stakeholders that will play a part within NPD Framework:
- Data Principal: A person (individual, companies) or community that generate the data.
- Data Custodian: This is the person who undertakes collection, storage, processing and use of NPD.
- Data Trustee: This is the person through which a community exercises its data rights and who takes action to protect the community against any collective harm arising from the use of Community NPD.
- Data Trust: This is an institutional structure bound by rules for handling a specific set of NPD.
- The Committee has recommended the establishment of a Non-Personal Data Authority, to regulate the collection, processing, storage and sharing of NPD.
International scenario on data protection
European Union - General Data Protection Legislation (GDPR)
- The European Union has a long history of data protection legislation. GDPR is a mature and well-developed data protection law and forms a baseline for privacy principles.
- It provides for a uniform and simplified legislative framework. It will establish one single pan-European set of rules that will make it simpler and cheaper for companies to do business in the EU.
- One of its important characteristics is - ‘Right to be forgotten’
- Australia is a good example of a country that has amended and expanded its privacy legislation over many years, resulting in an up-to-date law with fairly comprehensive coverage
- One interesting aspect of the Australian regime is that there are no registration requirements for private- sector organizations in Australian privacy law.
- The international transfer of personal data is restricted unless organizations can meet certain requirements. These include consent, storage standards and the legal protection of the data in the recipient country.
There is an urgent need for India to bring out a comprehensive Data Protection Legislation, to provide a certainty to the companies looking forward to investment in India and on other hand protects the right to privacy of its citizens. A firm step towards data protection will lead to economic prosperity, policy certainty which will eventually boost innovation and boost public confidence and trust. With the brunt borne by India due to the Pandemic, this law may become a step towards stability of Indian economic and social milieu.