PERSONAL DATA PROTECTION BILL 2019 – A BOON OR A BANE Diksha Srivastava BASICS OF LAW Fri, Jan 03, 2020, at ,12:48 PM In July 2018, a Committee of Experts on Data Protection submitted a draft of Personal Data Protection Bill, 2018 to the Government of India. On the basis of recommendations made by the Committee and suggestions from various stakeholders, on 11 December 2019, the revised Personal Data Protection Bill 2019 was introduced and it was finally approved by the cabinet on 4 December 2019. The Personal Data Protection Bill (PDPB) 2019 is expected to become law in 2020 once it is reviewed by the joint parliamentary committee (JPC). The Bill gives Indian users rights to obtain personal data, correct, erase, update and port the data from one company to another, and raise grievances. The bill governs the processing of personal data by the: Government, Companies incorporated in India, and Foreign companies dealing with personal data in India. WHAT IS PERSONAL DATA? The bill categorizes data into three categories—critical, sensitive and general. Sensitive data—financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs, and affiliation—can be stored only in India. However, data can be processed outside India with the explicit consent of the authorized officials under the act. REASONS BEHIND INTRODUCING THE BILL In the case of Justice KS Puttaswami v/s Union of India the Supreme Court’s decision to declare "privacy" as a fundamental right under Article 21 of the Constitution, a subsequent nudge from the Supreme Court to frame such a law and Sri Krishna Committee's recommendations and drafts on privacy protection. NEED FOR DATA PRIVACY Since we live in a digital age, everything we do is somehow or the other with the help of technology. Smartphones, apps, cloud, social media, computers, servers, etc define our everyday lifestyle. And since we are highly dependent on these technologies, they end up having far too much information about any individual, which makes it necessary to have proper measures for data privacy. KEY FEATURES The bill lists some of its key features, which are as follows. Promote concepts of consent, purpose limitation, storage limitation, and data minimization, etc.; Lay down obligations on agencies collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal); Confer rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data; Establish Data Protection Authority of India (DPAI) to protect the interests of individuals, prevent misuse of personal data, ensure compliance and promote awareness about data protection; Notify "social media intermediary" as a significant data fiduciary whose actions have a significant impact on electoral democracy, the security of the state, public order or sovereignty and integrity of India; Confer the "right of grievance" to individuals to complaint against data fiduciary; Empower the central government to exempt any government agency from the application of the proposed law; Empower DPAI to specify the "code of practice" to promote good practices of data protection and facilitate compliance and, Provide for "Adjudicating Officer" for deciding penalties and award compensation for violations and "Appellate Tribunal" to hear appeals against these. PDP BILL AND RIGHT TO PRIVACY The Bill regulates the processing of personal data of individuals by government and private entities incorporated in India and abroad. After having provided for privacy safeguards, the bill empowers the central government, in Section 35, to allow any government agency to bypass all these, in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order and for preventing any cognizable offense. The only safeguard is: a written order from the central government specifying the reasons for breaching privacy and (b) in a manner (procedures, safeguards, and oversight mechanism) "as may be specified" in the future. DATA PROTECTION AUTHORITY A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries. Section 94 of the bill provides that the DPA would make regulations, rules, safeguards for protection of privacy and restrictions on continuous or systematic collection of "sensitive" personal data, etc., including even defining what is "critical" personal data. Duggal says that DPA has been empowered to make many regulations that should have been stipulated in the bill. The bill should have specified "critical" personal data which is the Kohinoor of this data protection crown. Besides, the element of cybersecurity is completely missing from the Bill, making it a paper tiger, not an effective law. He also points out that the definition of "data" is deficient (less elaborate) vis-a-vis the Information Technology Act of 2000 - which he says is the mother legislation for all matters relating to electronic format. "First and foremost, it excludes "knowledge" from the definition and further, it excludes data in any form other than digital, including computer print-outs, punched cards, punched tapes and provides no protection for these", he adds. DRAWBACKS OF THE BILL The bill aims at giving more control of their data to the users. But if that is the case then does it mean that we should be relieved of the burden of privacy and data security? No there are some glaring issues in this bill that need immediate attention. The bill allows any government to override all the above-mentioned citizen rights and under section 35 enables them with absolute power. Agencies with the help of a written order from the central government specifying the reason of a breach or in a manner “as may be specified” in the future, can bypass all the privacy rights given to the citizens by the bill. The bill, in the garb of interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order, gives the government unrestricted power to snoop on any citizen. The current bill is in stark contrast with the 2018 draft and does not talk about the need of the law to be framed to decide what is does breaching of privacy means. Various social media sites and companies like Google and Apple have been approached by the government asking for data of individuals for matters related to national security. The recent WhatsApp surveillance via Pegasus suggests that the government is involved in some way or the other to track and spy on independent voices. Earlier in the month of November, the central government announced that the state and central governments, as per the 1885 Telegraph Act and the 2000 Information Technology Act, are not only allowed to intercept any communication but also decrypt any computer nationwide. The current bill is just an extension to that announcement and can give dictatorial access to the government. While the law tightens rules for companies that handle personal data, it has given GOI the right to exempt any government agency from legal obligations. This has raised alarm bells among companies, activists and the citizenry, who are rightly worried about unaccountable government surveillance. This is likely to be the most debated provision of the law once it’s tabled in Parliament for voting. Justice BN Srikrishna, the chief architect of the draft law, has raised his concerns about GOI exemptions and called them dangerous, adding that the law can turn India into an ‘Orwellian State’. RIGHTS OF DATA PRINCIPAL (INDIVIDUAL) Till now the privacy laws in India offer little protection against the misuse of personal information. The transfer of personal data is governed by the Sensitive Personal Data and information, 2011, which has been proved to be inadequate. To empower individuals and provide them with more control over their own data, the PDP Bill has listed out certain rights such as – right to confirmation and access: It means the right to obtain a summary of their personal data held with the data fiduciary. right to correction: It is the right to seek correction of inaccurate, incomplete, or outdated personal data. right to data portability: It is the right to have personal data transferred to any other data fiduciary in certain circumstances. right to be forgotten: It allows the data principal to restrict or prevent continuing disclosure of their personal data. Unless they have given explicit consent, their personal data cannot be shared or processed. Out of all these, basic rights such as the right to seek confirmation, access, and rectification are exempted from any fees, thereby promoting transparency. IMPACT ON DATA FIDUCIARY (COMPANIES) The proposed law may have a considerable impact on companies operating in India, whether with or without a physical presence. While some of the companies are against it, others have spoken up to support it. For ISPs, the draft may bring changes as it suggests enforcing certain mandatory provisions that have a significant effect on business models, financial implications and modus operandi. One bad news for companies is that the bill’s penalties are also inspired by its European cousin – the GDPR. Some violations come with a maximum penalty of either Rs 5 crore or to 2% of the global turnover of a company in the previous year (whichever is higher). For other violations, such as non-compliance with the PDPB’s cross-border transfer provisions and consent and grounds of processing, penalties extend to Rs 15 crores or 4% of the global turnover in the previous financial year (whichever is higher). The Bill lays down certain obligations on the data fiduciary who is processing personal data. These are: processing personal data in a fair and reasonable manner, notifying the data principal of the nature and purposes of data collection, and their rights, among others, and collecting only as much data as is needed for a specified purpose, and storing it no longer than necessary. CONCLUSION Since personal data breaches have emerged as one of the most presiding categories of security incidents across the globe, the proposed Personal Data Protection Bill (PDP) is a welcoming step and certainly puts the ownership of data in the hands of individuals while taking care not to throttle businesses and innovation. It introduces an interesting mixture of data privacy rights and obligations that are already familiar (mainly from the GDPR) and comes forth with a new strategy. The proposed bill applies to both government and private entities established in India as well as abroad (extra-territorial applicability). Non-compliance with the regulation may lead to both financial penalties and personal liability.