Personal Data Protection Bill, 2019
Author: Shreyansh Rathi, Rajiv Gandhi National University of Law, Patiala
Introduction
With the rapid technological development, particularly in the field of Information Technology, in recent years, Internet has become a very important part of day-to-day economical activities. A large number of businesses and services have shifted online which is equally matched by the expanding consumer base on such Digital medium. While surfing through the internet, at various instances, the common man has to submit their details including Phone No., Email Id, etc., for availing services or becoming part of online initiatives. This information gets stored in the Servers of the relevant service providers which are many a time situated outside the country. As such details involve personal information, there is a constant threat to the Privacy and Protection of this data.
The Supreme Court in the case of KS Puttaswamy and Ors. v. Union of India and Ors.[1] of 2017 held the Right to privacy to be a Fundamental Right under Article 21 of the Indian Constitution, thus emphasizing the need of protecting the personal information of individuals. As a result, demands for a comprehensive law for Data Protection were raised, which ultimately led the government to form a 9 member committee headed by Justice B.N. Srikrishna for studying Data Protection issues and proposing legislation to deal with issues arising relating to data protection. Influenced by the Puttaswamy judgment of 2017 and the European Union’s General Data Protection Regulations (GDPR), the committee submitted the report to the Ministry of Electronics and Information Technology along with a draft Personal Data Protection Bill in 2018.
Personal Data Protection Bill, 2019
After further deliberation and changes to the Draft Bill submitted by the Committee, the Cabinet finally approved the bill on 4 December 2019 as Personal Data Protection Bill, 2019. The Bill was introduced in Lok Sabha by Minister of Electronics and Information Technology, Dr. Ravi Shankar Prasad on 11 December 2019. As of March 2020, the bill was being analyzed by Joint Parliamentary Committee along with consultations with experts and stakeholders.
The bill aims at revamping the country’s previous Data Protection scheme i.e. Information Technology Act, 2000. It seeks to govern the data processing by government, Indian Companies as well as Foreign Companies dealing with Personal Data of people of India. It seeks to govern the personal data collected, disclosed, shared, or processed with Indian Territory. However, it will not cover small retailers collecting data manually for meeting other obligations[2].
Key provisions of the Bill
The Bill is aimed at protecting the personal data of individuals living in India from misuse and establishing a Data Protection Authority. The following are the key provisions of this bill:
1. Definition of Personal Data: Under the bill, Personal Data is defined as those data which relate to some natural person regarding the characteristics, traits, attributes, etc. thereby helping in the identification of that individual. It also distinguishes between Sensitive and Critical Personal Data.
Sensitive Personal Data include financial and health data, sex life and orientation data, biometric data, caste, religion, tribe, and political affiliation data while Critical Personal Data refers to any type of personal data which the Central Government notifies from time to time.
2. Applicability: The Bill has within its ambit, the power of governing personal data processing by government, Indian as well as Foreign Companies dealing with data of Indian Individuals[3].
3. Data Fiduciary and its obligation: Data Fiduciary refers to the entity or the person who has the authority to decide the means and purpose for processing personal data. Some of the obligations of Data Fiduciary are as follows:
- Personal data can be processed only for such purposes which are clear and lawful.
- Personal Data can be collected by the Data Fiduciary only to extent its necessary and the processing need to be done fairly and reasonably ensuring privacy of data principal.
- The privacy of Data Principal (the person of whose data it is) needs to be ensured.
- The Data Fiduciary has the obligation of furnishing notice to Data Principal in order to collect personal data.
- The Data Fiduciary need to inform Data Principal from where the data is collected, in case its not collected directly from him.
- The Data Fiduciary is restricted for retention of personal data of Data Principal
- The Data Fiduciary remains accountable for all other provision of the bill related to processing of personal data.
4. Consent: Similar to EU’s GDPR, the Personal Data Protection Bill puts a lot of emphasis on Consent. The Bill makes it mandatory for data fiduciary and processors to obtaining Data Principal’ consent before processing their personal data. It also goes on to define valid consent stating that Consent is valid when it is free, informed, clear, specific and also it can be withdrawn. The person whose consent is taken needs to be able to foresee the scope and purpose of data collected and to be processed. The consent can be withdrawn as simply as it was given.
The bill also came up with a special form of Data Fiduciary known as Consent Managers who are the entities through which Data Principal can give, withdraw and manage their consent. They are required to be registered with Data Protection Authority.
However, there are a few exceptions and exemptions to the Consent requirement:
- Performance of State Functions with legal compliance: The State of India has the authority to process the personal data without obtaining data Principal’s consent as authorized and in compliance with law for the benefit of individual or issuance of certificates, licenses or permit, compliance of judgements etc. The state can process personal data also in cases of Medical Emergency like pandemics.
- Employment: Employers, as Data Fiduciary can process personal data although not Sensitive personal data of current as well as prospective employees under certain special conditions like recruitment, termination, provision of benefits, and verification of attendance or assessment of performances.
- Reasonable Purpose: The Bill provides that for certain reasonable purposes like preventing and detecting unlawful activity, whistleblowing, mergers, acquisitions, credit scoring etc., there is no need for taking consent from Data Principal[4].
5. Rights of Data Principal: The Bill also lays down certain rights of the Data Principal whose data is collected, processed, and retained by data Fiduciaries:
- Right of Obtaining Confirmation and Access: The Data Principal has the right of obtaining confirmation about the processing of personal data. He is also given the right to obtain brief account of how his personal data has been processed by the Data Fiduciary.
- Right of Correction and Erasing: The Data Principal have the right of asking the data fiduciaries of correcting incorrect or outdated personal data. He also have the right of erasing personal data no longer required to be processed.
- Right of Portability of Data: the Data Principal also have the right to ask the data Fiduciaries to ask Data Processors for providing the personal data in Machine readable format and also can be ask for transfer of such data to other data fiduciaries.
- Right to be forgotten: It is the most important right that the new bill provides. The Data Principal has the right to restrict and end the continuous disclosure of his personal data to the Data Fiduciary if it’s no longer necessary or the consent is withdrawn. The Adjudicating officers have this authority to enforce such right.
Analysis
Positive Aspects of the Bill
- This draft bill puts the onus on Data Fiduciary for seeking free and informed consent from the Data Principal.
- It also provides the Data Principal with the Right to be Forgotten as well as withdraw his consent on such processing of Sensitive Personal Data.
- It provides the Data Principals the rights to confirmation and correction of Personal Data.
- The Bill have strict provisions for the companies whether Indian or Foreign, flouting the provisions of the bill.
- The Bill also has strict provision when personal data are leaked through government departments and offices.
- The Bill has also expanded the definition of Sensitive Personal Data and included health, financial and sex related data.
- The Bill also has stringent provisions for protection of personal data of children to protect their interests.
Shortcomings and Criticism of Bill
- Although the bill provides various rights such as Right of Portability, Updating and Correction to Data Principals but the Right to be Forgotten is very vaguely worded.
- There is no specific mention of Right of Deletion or Right of Object Processing.
- Only Data Protection Authority has the power to decide if Data Breaches are to be informed to affected users or not.
- There is no attempt for curbing Government surveillance. On the contrary, Data Localisation may further aggravate it.
- The government has arbitrary [power to declare any personal data as critical and mandate it storage within India.
- The compulsion to store one copy of personal data in India will lead to additional coast for companies.
- Such regressive restriction on cross border flowing of data may have opposite effects in the era of globalisation
Conclusion
Although the Personal Data Protection Bill has been a good step forward by Indian Legislators for the protection of the interests of ordinary citizens, there exist certain loopholes and shortcomings within the draft bill that need to be looked after by the Joint Parliamentary Committee and required changes need to be made. Personal Data of Individuals amounts to an integral part of their Right to Privacy and thus the legislation, after proper changes, can play a great role in fulfilling and protecting Personal Data and thus the privacy of individuals.
[1] (2017) 10 SCC 1
[2] Suneeth Katarki & Namita Vishwanath, The Personal Data Protection Bill, 2019: Key Changes and Analysis, Mondaq, https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis
[3] Rithun S, Personal Data Protection Bill and Right to Privacy- Explained, Brillopedia.net, https://www.brillopedia.net/post/personal-data-protection-bill-and-right-to-privacy-explained#:~:text=According%20to%20Section%203%20%2828%29%20of%20the%20Personal,any%20inference%20drawn%20from%20such%20data%20for%20profiling.
[4] Karthikeyan P, Explained: The Personal Data Protection Bill, 2019, Libertatem.in, https://libertatem.in/articles/explained-the-personal-data-protection-bill-2019/