In 2017, the Indian Supreme Court declared the ‘Right to Privacy’ to be a part of the fundamental right to life under Article 21 of the Indian Constitution in the case of Justice K.S. Puttaswami and another v Union of India.
Prior to this, Protection of personal data and information was governed by certain provisions of Information Technology Act, 2000 (“IT Act”), primarily Section 43A and Section 72A of the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (“SPDI Rules”) formulated under Section 43A of the IT Act for dealing with sensitive personal data or information (“SPDI”). Apart from the IT Act, there are also regulations and norms for sectors like banking, telecom, insurance, payment systems along with certain provisions of Indian Penal Code, 1860 which also deal with privacy aspects.
Aadhar card judgment, 2018 is yet another case wherein the right to privacy was breached in numerous ways. The question that arose was whether implementation of Aadhar carda reasonable exception or an infringement to the right to privacy. The Supreme court held that right to privacy cannot be impinged without a just, fair and reasonable law as a result the court has stuck down certain provisions which did not go well with the right to privacy. Therefore, the need further arises to enact a law which is clear and concrete which can be implemented in a way that individual rights are not moulded to fit in with the upcoming laws.
It was after the landmark judgment in 2017, that the Ministry of Electronics and Information and Technology, Government of India constituted an expert committee under the chairmanship of Justice B.N. Srikrishna which released a draft of the Personal Data Protection Bill, 2018 (“Privacy Bill”) in August 2018. The Privacy Bill is largely inspired from the European Union’s General Data Protection Regulation (EU GDPR).
On 11th December 2019, the Bill was introduced in LokSabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad. The Key features of the Personal Data Protection Bill, 2019 are-
- Personal Data
The bill regulates 3 categories of data which includes Personal Data, Sensitive Personal Data and Critical Personal Data.
“Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.
“Sensitive Personal Data” means personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe; (xii) religious or political belief or affiliation; or (xiii) any other category of data specified by the Authority under section 22. “Passwords” have been removed from the list of sensitive personal data listed in the bill. Critical personal data has not been defined but defines data which can exclusively be used in India. Sensitive personal data may be transferred for processing outside India with the data principal’s consent and the Data Protection Authority’s or Central government’s permission but needs to be stored only in India.
“Critical Personal Data” has not been defined but shall include any such personal data that may be notified by Central Government to be Critical Personal data.
2. Data Protection Authority
The PDP Bill introduces a new regulatory “Data Protection Authority”, first cross-sector data protection regulator with the power to protect the interest of the data principal by preventing misuse of personal data and increasing awareness among the masses. The functions of the authority includes taking actions in case of data breach, maintaining a list of data fiduciaries, examination of data audit reports and advising the Government on concerns relating to data protection.
3. Rights of Individuals/Data Principal
The data principals or data subjects have been given exclusive rights which includes:
- Right to confirmation and access – Confirmation in terms of the data being processed or already processed by the data fiduciary along with a brief summary of processing activities undertaken. The data principal has been provided with the right to access which includes the details of the data fiduciaries with whom the personal data has been shared along with the categories of personal data.
- Right to correction – Subject to conditions the data principal has the right to correct inaccurate or misleading personal data, complete incomplete personal data, updating personal data which is outdated and erasure of data which is no longer necessary.
- Right to Data Portability – Where the data processing is carried out by automated the data principal has the right to receive the same in a machine readable format
- Right to Be Forgotten- the right to restrict or prevent any further disclosure of personal data where the purpose has been served, the consent for use of personal data has been withdrawn or in case the data was used for illegal purpose.
4. Significant Data Fiduciaries
An intermediary who primarily enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, The Data Protection Authority can notify any data fiduciary as a significant data fiduciary on the basis of the volume and sensitivity of personal data being processed, the data fiduciary’s turnover, risk of harm by processing by the data fiduciary, use of new technologies for processing, any other factor causing harm from such processing etc.A significant data fiduciary will have to carry out a Data Protection Impact Assessment, in order to undertake any processing involving new technologies, use of sensitive personal data such as biometric data, etc. along with compliance evaluation by a data auditor.
5. Children’s Data Privacy
The protection of rights and best interest is a primary concern in processing the data of a child. The Data fiduciaries can process a child’s personal data only after verifying their age, and obtaining the consent of their parent or guardian. The Data Protection Authority can classify any data fiduciaries as guardian data fiduciary who operate services directed at children, or process large amount of children’s personal data as a “guardian data fiduciary”. A guardian data fiduciary will be barred from profiling, tracking or monitoring the behavior of children, target ads at children, or carry out any other processing that can cause significant harm to the child.
6. Exemptions to the Government
The Indian government can exempt any government agency from the Act for reasons of national security, integrity & sovereignty, public order, friendly relations with foreign states, and for preventing any cognizable offence relating to the above reasons to be recorded in writing shall not apply to any agency of Government in respect of processing of personal data. Apart from exemptions to government agencies which includes processing of personal data for law enforcement, judicial reasons, journalism, and for personal reasons.
7. Social media intermediaries and verification
The Central government and Data Protection Authority has the power to define a “social media intermediary” as a “significant data fiduciary” if it has a certain number of users which can impact electoral democracy, India’s security, sovereignty or public order.A social media intermediary has been defined as “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”. This does not include intermediaries which enable commercial or business transactions, provide access to the internet, email services, search engines, and online encyclopedias.Social media intermediaries, classified as significant data fiduciaries, will have to give account verification options to willing users, and such users will be given a visible mark of verificationwhich is made voluntary.
8. Consent Manager
It provides the Individuals/Data principals the right to give or withdraw consent on the information provided to the data fiduciary through a “consent manager”.
9. Processing without consent
For the performance of a state function and reasonable purposes the personal data can be processed without consent. State function includes provision of state services and medical emergencies at work place, whereas reasonable purposes includes prevention of illegal activities, whistle-blowing, credit scoring, debt recovery, and operation of search engines.
10. Cross-border restrictions
Mere personal data (that is non-sensitive personal data or critical personal data) has been exempted from cross-border transfer restrictions. Sensitive personal data may be transferred outside India when explicit consent is given by the data principal and the Central Government in consultation with the data protection authority is satisfied about the adequate level of protection of the data being transferred. Further, such transfer can only be allowed in case of specific purposes which includes Individual and country emergencies.
11. Data Localization
A copy of all ‘sensitive personal data’ may be transferred outside India but shall continue to be stored in India. ‘Critical personal data’ (which will be defined by the Central Government) must be processed only in India, with exceptions.
12. Requirement to Share Anonymized Data with Government
The power of the Indian Government in consultation with the Data Protection Authority to ask for non-personal or anonymized data from data fiduciaries for better targeting of delivery services or formulation of evidenced-based policies by the government.
13. Innovation sandbox for artificial intelligence and emerging technology
The sandbox is created for the purpose of encouraging innovation in artificial intelligence, machine learning or any other emerging technology in public interest. Any data fiduciary whose privacy by design policy is certified by the Data protection authority is eligible to apply for the same. The data fiduciary shall furnish the term for which it seeks to utilize benefits, the innovative use of technology and the data principals participating in the proposed processing.
14. High penalties
Offences under the Bill includes: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs15 Crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five Crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
This bill aims to protect the privacy of individuals with respect to their personal data and governs the relationship between individuals and entities processing their personal data. It simultaneously strives to create a robust digital economy by ensuring innovation through digital governance.
EU GDPR and the Privacy Bill 2019
There are certain clauses that makes the Privacy Bill different from EU GDPR which primarily includes the Framework Regulations built on deciding whether or not data can leave the country. Although, both the legislations gives the Government authority to decide whether data transfer can occur outside the country, in additionEU GDPR has laid down cautious parameters for such decision making. Further, EU GDPR addresses personal harm from automated decision making while Indian legislation requires an assessment in cases of large-scale profiling and does not provide the right to the citizen to object to profiling, except in the cases of children. Lastly, PDP bill includes ‘sensitive personal data’ as a part of personal data which includes health, biometric data etc. while it resembles the ‘special categories in GDPR, the EU’s regulation does not have separate rules for this type of data.
In addition to this there are certain clauses which are similar in both the legislations which includes the Concept of ‘Consent’ wherein data processing can be allowed only when individual allows it, Data processing for prevention and investigation of criminal offences along with public security, defense and judicial proceedings. ‘Rights to Individuals’ which includes the right to correction, right to portability and the right to be forgotten.Along with similar obligations with regards to resolution and code of conduct.
Impact on Business
Consequentially, besides the privacy concerns the bill comes up with a ramification of foreign investment/business opportunities in India. The Data collected in India including sensitive personal data may be transferred (temporarily) outside India but shall continue to be stored in India in the form of a copy.Either way, for the data to move abroad the explicit consent of data principal is necessary along with certain requirements under section 34 which deals with the transfer of data abroad.As per the sayings of The Internet and Mobile Association of India, the proposed law will impose extra costs that could harm the business environment. Due to the extensiveness of some of the proposed requirements, such as mandated storage of information on local servers, will test the capacity of small data fiduciaries. The bill mandates all businesses collecting personal data to have a “Privacy by Design” policy in place and to be certified by the Data Protection Authority to operate. IAMAI said such rules will create a restrictive certification and licensing regime and may handicap India’s technology startups. Additional responsibilities are also imposed on companies based on the volume of data they collect from customers. This includes periodic security audits, appointment of a data protection officer, and performing data protection assessments defined by the regulator.Social media platforms such as Facebook, Twitter and WhatsAppetc will be required to let users submit a government approved identity proof for account verification, akin to the blue tick reserved for public figures.
To add on high penalties are also imposed, the bill states that companies that fall foul of the data protection guidelines will have to pay up 150 million rupees ($2.1 million) or 4% of their annual turnover, whichever is higher. Failing to audit data will trigger a penalty of 50 million rupees or 2% of the annual turnover, whichever is higher.
At present, the bill is under process of being enacted as it has been referred to the Joint Select Committee by the LokSabha but what is important to note is that after its enactment it shall be the duty of the individuals to be careful in dealing and giving permissions for their personal data. And additional responsibilities shall be imposed on the Data Protection Authority to make data fiduciaries comply with the provisions of the Act. In conclusion, the proposed Data Protection Bill or the Privacy Bill is a welcoming step and it will certainly put the ownership of data in the hands of individuals with safeguards being provided by the Data Protection Authorityand Central Government but complying with these requirements can prove challenging as it will hinder the ability to invest in India for foreign companies, innovate for Indian consumers and business houses.It is time to follow leads like GDPR and set an example for the rest of the world on how a good policy can bring the whole nation together to protect the rights of individuals and make available only that data that will not hinder the rights of data principals/individuals.
ABOUT THE AUTHOR
Avni Singh, 5th Year, Government Law College, Mumbai.