- Privacy issues in India
- Issues in the Bill
- IT’s Input
- Provisions of Personal Data Protection Bill, 2019
Unfulfilled promise On Personal Data Protection Bill
For IASToppers’ Editorial Simplified Archive, click here
India’s Personal Data Protection Bill, 2019 starts encouragingly, seeking to protect “the privacy of individuals relating to their personal data”. But by the end, it is clear it is not designed to deliver on the promise.
Privacy issues in India
- Recent events have cast doubts about whether the Government is serious about delivering on the privacy promise.
- Recently, messaging platform WhatsApp said that some Indian journalists and rights activists were spied using Pegasus spy-software, made by an Israeli company which only works for government agencies across the world.
- Google too had alerted 12,000 users, including 500 in India, regarding government-backed phishing attacks (fraudulent attempt to obtain sensitive information) against them.
Issues in the Bill
- Under the Bill, the central government can exempt any of its agencies from the provisions of the Act in interest of security of state and integrity of India and friendly relations with foreign states.
- Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention or prosecution of any offence or (ii) personal, domestic, or (iii) journalistic purposes.
Too much power given to government in the Bill’s provisions
- The Bill gives wide powers to the Government to dilute any of the provisions of Bill for its agencies.
- Justice B.N. Srikrishna committee, whose report forms the basis of the Bill, noted that the dangers to privacy originate from state and non-state actors. It, therefore, called for exemptions to be narrow and available for use in limited circumstances.
- It had also recommended that the Government bring in a law for the oversight of intelligence-gathering activities, the means by which non-consensual processing of data takes place.
Members of Data Protection Authority of India are Government nominees
- A related concern about the Bill is regarding the constitution of the Data Protection Authority of India, which is to monitor and enforce the provisions of the Act.
- It will be headed by a chairperson and have not more than six whole-time members, all of whom are to be selected by a panel filled with Government nominees. In other words, Government agencies will be regulated by themselves as they are major collectors and processors of data themselves.
The sweeping powers the Bill gives to the Government renders meaningless the gains from the landmark K.S. Puttaswamy vs. Union of India case, which culminated in the recognition that privacy is intrinsic to life and liberty, and therefore a basic right. That idea of privacy is certainly not reflected in the Bill in its current form.
Provisions of Personal Data Protection Bill, 2019
- The Personal Data Protection Bill, 2019 seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.
- The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
- The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs etc.
Obligations of data fiduciary:
- A data fiduciary is an entity or individual who decides the purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations.
- For instance, personal data can be processed only for specific purpose and all data fiduciaries must undertake certain transparency measures such as implementing security safeguards, instituting grievance redressal mechanisms etc.
Rights of the individual:
- The Bill sets out certain rights of the individual such as i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary.
Grounds for processing personal data:
- The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
Social media intermediaries:
- The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact public order, have certain obligations which include providing a voluntary user verification mechanism for users in India.
Data Protection Authority:
- The Bill sets up a Data Protection Authority which may take steps to protect interests of individuals and ensure compliance with the Bill. It will consist of a chairperson and six members.
Transfer of data outside India:
- Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual. However, such data should continue to be stored in India.
- Offences under the Bill include: (i) processing personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.
Sharing of non-personal data with government:
- The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
- The central government can exempt any of its agencies from the provisions of the Act in interest of security of state and integrity of India and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, or prosecution of any offence or (ii) personal, domestic, or (iii) journalistic purposes.
Amendments to other laws:
- The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.