Right to Privacy and Personal Data Protection Bill 2019

This is an exhaustive and comprehensive research paper on the topic Right to Privacy and Personal Data Protection Bill 2019 authored by Deepanshi Jain, 1st Year Law student at Indore Institute of Law, Indore.

Abstract

The Right to Privacy stands recognized in the Indian Constitution. Article 21 of the Indian Constitution provides for the right to privacy as a necessary ingredient of the right to life and personal liberty. With the advent of technology privacy of data protection and personal information has become an issue in this recent era. Privacy is something that is not to interfere with the interest of others. Privacy is becoming a concern of every individual due to technological advancement and it also emphasizes narrowly for protection of data. Data protection emphasizes individual liberty and these individual’s liberty is under threat by the interference of strangers. The activity of the stranger to the individual’s activity by any means is required to halt.  The Legislation  The Personal Data Protection Bill is a significant step toward the protection of individual data in a regulatory manner.

The present article provides insights into the Personal Data Protection Bill, its importance, and the few drawbacks of the bill.

Introduction

The Right to Privacy is a multidimensional concept. In the context of personal data, it refers to the specific right of an individual to control the collection, use, and disclosure of his personal information. Personal information could be in the form of identity details, personal interests, habits, activities, records of the family, education, communication, health, finance, etc. We are living in an era where personal information can be used innovatively for various purposes including state surveillance and revenue generation by businesses. There are various techniques like clustering, geotagging, and geocoding which enable various other uses of available personal data of an individual without his knowledge. As such, it is of utmost importance to have a robust and effective data protection regime that will strike a balance between innovation and protection of privacy.  An effective data protection law should be in- force to resolve the problem faced by the people and to ensure that their data privacy is maintained.

Personal Data Protection Bill 2019

The Personal Data Protection Bill contemplates a drastic change in data collection and processing practices in India. So far, both the private sector and the state have operated in a largely unregulated space, where they do not have to worry about checks and balances and processes to protect the privacy interests of the citizens. Data can be bifurcated into two categories: personal and non-personal data. Personal data related to characteristics, traits, or attributes of identity that can be used to identify an individual. Non-personal data includes aggregated data that cannot be used to recognize an individual. Data protection policies and procedures aim to minimize the invasion into the privacy of an individual thus maintaining their fundamental rights caused by the collection and usage of their data. 

Reason for Proposal of Personal Data Protection Bill

The Supreme Court in its various judgments held privacy as a fundamental right under Article 21 of the Constitution. The Court also observed that the privacy of personal data and facts is an essential aspect of the right to privacy.  In July 2017, a Committee of Experts, headed by Justice B. N. Srikrishna, was set up to address various issues related to data protection in India. The Committee reported the need for the Personal Data Protection Bill to maintain the privacy of an individual.

Personal Data Protection Bill 2019 Regulation

At present, the usage and transfer of personal data of citizens are regulated by the  Information Technology (IT) Rules, 2011, under the IT Act, 2000. The rules make the companies using the data liable for compensating an individual provided the company is negligent in maintaining security standards while dealing with the data. The Expert Committee in its report held that with the pace of development of the digital economy the IT rules have suffered several shortcomings to cite:

  • the definition of sensitive personal data under the rules is narrow some of the provisions can be overridden by a contract.
  • the IT Act applies only to companies, not to the government.

The I.T Rules were a novel attempt to protect the privacy of Personal Data at the time they were introduced but today the need for the hour is to have effective legislation in place.

Aims of Personal Data Protection Bill

The Bill seeks to regulate personal data related to individuals, and the processing, collection, and storage of such data. The Bill defines a Data Principal as an individual whose personal data is being processed and Data Fiduciaries as an entity or individual who decides the means and purposes of data processing. The Bill governs the processing of personal data by both government and companies incorporated in India which means that the bill will also govern foreign companies if they deal with the personal data of individuals in India. Thus the bill helps to maintain the privacy of an Individual.

 Individuals Right over their Data

The Bill gives the data principal certain rights for their data. These include seeking confirmation on whether their data has been processed, seeking correction, completion, or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their data, if it is no longer necessary or if consent is withdrawn. The processing of Personal Data of individuals requires the consent of the data principal.

Restrictions on Processing of Data

The Bill also provides for certain obligations of data fiduciaries concerning the processing of personal data which means that the data fiduciaries could collect some data if subjected to a certain purpose, collection, and storage limitations implying that the personal data can be processed only for specific, clear and lawful purpose. Moreover, these data fiduciaries must follow a certain code of conduct. They need to ensure that there are certain transparency and accountability measures like implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. Certain fiduciaries would be notified as significant data. These fiduciaries must undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data.

The Grievance Redressal Mechanism

The bill aims to provide for a redressal mechanism to ensure that there is protection with regards to the processing of personal data of individuals, the Bill provides for setting up a Data Protection Authority. The Authority will be a specialist in the field of Data Processing such as data protection and information technology. Any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the Authority.  Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court. Thus, it ensures a proper redressal mechanism.

Exemptions for Processing of Personal Data

Processing of personal data is exempted from the provisions of the Personal Data Protection Bill in some cases. For instance, the central government can exempt any of its agencies from following the code of conduct as provided in the bill in the name of interest of the security of the state, public order, sovereignty and integrity of India, and friendly relations with foreign states.  Further, the processing of personal data is also exempted from provisions of the Bill for some of the other purposes such as prevention, investigation, or prosecution of any offense, or research and journalistic purposes.  Moreover, the personal data of individuals can be processed without their consent in certain circumstances such as:

  • If required by the State for providing benefits to the individual,
  • In certain legal proceedings,
  • In situations of medical emergency.

The Salient Features of Personal Data Protection Bill 2019

The following are the salient features of the Bill:

  • The PDP Bill is meant to improve data handling and data privacy in a way that is similar to the European Union’s GDPR(General Data Protection Regulation).
  • The PDP Bill calls for the creation of a Data Protection Authority (DPA) similar to the organizations found among members of the European Union and defines the categories of sensitive personal data that are to be protected.
  • The PDP Bill prescribes various obligations for Data Fiduciaries on how they shall obtain,
  • process, and retain personal data. It makes them accountable for the compliance of the obligations in respect of the processing of personal data undertaken by it or on its behalf.
  • In the PDP Bill, there are certain provisions through which the businesses would have to tell users about their data collection practices and seek customers’ consent. They would have to collect and store evidence of the fact that such notice was given and consent was received. The PDP Bill also gives consumers the right to withdraw their consent and as such the businesses would have to come up with systems to allow consumers to withdraw their consent.
  • The PDP Bill gives consumers the right to access, correct, and erase their data after the same is processed for the purpose for which it was meant. As such, the businesses would have to create ways to allow consumers to do so.
  • The PDP Bill empowers the consumers to transfer their data, including any inferences made by businesses based on such data, to other businesses. All companies would have to develop ways for allowing the consumers to do this.
  • The PDP Bill would involve all businesses to make organizational changes to protect data better. This includes privacy-by-design principles (an approach in which privacy is a key consideration in how the business is organized), security safeguards, and so on.
  • The PDP Bill provides for data localization requiring businesses to store certain categories of data only in Indian servers. In this regard, it establishes a three-tiered structure as follows: –
  1. Personal data: Localisation or data transfer restrictions do not apply to personal data that is not considered “sensitive” or “critical.”  This type of personal data may be stored entirely outside of India and no transfer restrictions would apply.
  2. Sensitive personal data: “sensitive personal data’ may be transferred outside of India, but such data shall continue to be stored in India. Sensitive personal data includes “special categories of personal data” including data relating to health, religion, sex life, political beliefs, biometric, genetic, finance, etc. Notably, passwords have been removed from the definition.
  3. Critical personal data: The Bill permits the Government to define certain personal data as “critical personal data” which can’t be transferred outside India.  However, the Bill permits transfers to countries or organizations deemed to provide an adequate level of protection (where the State’s security or strategic interests will not be prejudiced).
  • The PDP Bill provides for a right to be forgotten which enables a data principal to restrict or prevent the continuing disclosure of his data by a data fiduciary where such disclosure
  1.  has served the purpose for which it was collected or is no longer necessary for the purpose
  2. was made with the consent of the data principal and such consent has since been withdrawn
  3. was made contrary to the provisions of this Act or any other law for the time being in force.
  • The PDP Bill requires data fiduciaries to inform the DPA by a notice about the breach of any personal data processed by them where such breach is likely to cause harm to any data principal.
  • Under the Bill, “significant data fiduciaries” will have extra duties, such as carrying out data audits and appointing data protection officers. The Bill empowers the Central Government to declare any social media intermediary (who enables interaction between 2 or more individuals like Facebook) with users above such threshold as may be notified, as a significant data fiduciary
  • The PDP Bill gives enormous powers to the Central Government to exempt any agency of Government from the application of the Act
  • Under Section 91 of the PDP Bill, the Government can access any personal data anonymized or non-personal data from the data fiduciaries and processors. So, the Government can require businesses to share valuable non-personal data (such as aggregate mobility data collected by apps like Google Maps or Uber with the Government. The Bill is silent on whether businesses will be compensated for their loss.

Thus, the bill imposes new compliance requirements for data protection on most businesses in India and ensures that  Privacy of Data is protected

Whether Personal Data Protection Bill, 2019 dilutes the Right to Privacy?

The following are certain facts which lead to an inference that the PDP Bill, 2019 dilutes the fundamental right to privacy:

The PDP Bill gives India’s Central Government the power to issue reasoned orders exempting any government agency from the bill’s requirements on grounds related to security and sovereignty of the State and public order.

The Expert Committee’s draft Bill allowed exemption in the interests of national security, when the same is authorized by a law enacted by Parliament; provided that it satisfies the internationally recognized principles of necessity and proportionality. Whereas, under Section 35 of the PDP Bill; a simple executive order of the Central Government authorizing any government agency to process personal data can allow them to conduct surveillance without any clear safeguards. These exemptions fail to meet the standards laid out by the Supreme Court in the Puttaswamy case, where it ruled that measures restricting the right to privacy must:

 (1) be backed by law,

 (2) serve a legitimate aim,

 (3) be proportionate to the objective of the law,

 (4) have procedural safeguards against abuse.

The PDP Bill seems to expand the scope of exemptions while simultaneously diluting important safeguards when compared to the draft Bill proposed by the Justice Srikrishna Committee. While national interests may in some cases override the individual interest in privacy, it is critical, as the Justice Srikrishna Committee noted, “to ensure that the pillars of the data protection framework are not shaken by a vague and nebulous national security exception.”

Conclusion

While the Data Protection Bill is a welcome step in establishing a data protection regime, it is fraught with various provisions that dilute the fundamental right to privacy. The Bill lacks many necessary safeguards that are needed to protect the right to privacy. Not only is this problem since the proposed framework is unlikely to protect privacy adequately, but the PDP Bill also significantly dilutes the right to privacy and increases State power to surveillance without creating adequate checks and balances. This is likely to have deleterious consequences for the stated objective of protecting informational privacy. There is a need to see the privacy of the citizens as the primary end goal of data protection legislation. It is perhaps this clarity of vision that may help the policymakers in resolving the competing interests of the State’s welfare and surveillance agendas, the private sector’s gargantuan appetite for personal data, the need for community data to facilitate bottom-up innovation, and the ability of individuals to exercise their right to privacy.

References

 [1]  Renjith Mathew, Personal Data Protection Bill, 2019 –Examined through the Prism of  Fundamental Right to Privacy,Moreon https://www.scconline.com/blog/post/2020/05/22/personal-data-protection-bill-2019-examined-through-the-prism-of-fundamental-right-to-privacy-a-critical-study/#_ftn4

[2] Anurag Vaishnav, The Personal Data Protection Bill,2019:All you need to know, Moreon https://www.prsindia.org/theprsblog/272029

[3]  Mr. Jayanta Ghosh and Dr. Uday Shankar, Privacy  and  Data Protection Laws  in  India:  A right based analysis,Moreon https://www.researchgate.net/publication/323958405_’Privacy_and_Data_Protection_Laws_in_India_A_Right-Based_Analysis