India does have quite 600 million internet users and ranks second but the country lacks something important, laws to safeguard the personal data of citizens. Long after the data protection bill was drafted with the intention of protecting the private data of citizens from any type of misuse. It had been introduced in Lok Sabha. The bill was drafted by the expert committee headed by former Supreme Court Judge Sri Krishna on July 28, 2018. On Dec 4, The bill was introduced in the parliament with the approval of the union cabinet. The bill was introduced within the Parliament on Dec 11, 2019. But some raised criticism against the bill that it doesn’t serve the aim the least bit and that they felt that it would also result in the government’s surveillance on citizens.
WHAT DOES THE BILL STATES?
The personal data protection bill aims to protect and forestall the private data of citizens. It regulates the collection, storage, and processing of private data with the consent of the individuals with the code of conduct. The draft bill says that sensitive personal data may be processed only with the express consent of the person. Further, the consent has to be told, clear, and specific as defined. The bill aims to form a regulation policy for organizational and technical measures in processing. The draft bill also features a provision where the person shall have the proper to limit and forestall continuing disclosure of non-public data. There’s a provision for the center to notify categories of information as critical, which is able to only be processed in a very severe within India and it also specifies some penalties for not following its provisions.
The bill classifies data as personal data and sensitive personal data,
Personal data– Personal data includes Name, Address, Mobile number, and people data which help to spot the individual.
Sensitive personal data– Sensitive data includes passwords, financial, and health data, sexual orientation, biometric data, and religious or political beliefs.
DATA PROTECTION AUTHORITY
According to the bill, a regulatory body called the Data Protection Authority must be created to regulate the activities of data fiduciaries. It shall have a chairperson and 6 other members with at least 10 years of experience in data protection and privacy. This authority will ensure that the fiduciaries are in compliance with the bill by creating a code of practice. It also imposes penalties for violating the provisions of the bill. It also provides compensation for the data principals who suffer any damage because of data breaches.
FEATURES OF THE BILL
The main aim of the bill is to shield the private data of the citizens. So it governs the processing of information by
- companies incorporated in India
- Foreign companies handling the personal data of people in India.
OBLIGATIONS OF DATA FIDUCIARIES
Data fiduciaries are those entities that collect and process the info of people. The data fiduciaries must explicitly state the precise purpose for processing the information. The aim of processing such data must be clear and lawful. Additionally, the bill states that each one data fiduciaries must undertake certain measures to keep up transparency and accountability.
The suggested measures are:
- The data fiduciaries must clearly state the purpose of data collection and the processing of such data must be fair to the point.
- The data fiduciary must disclose a notice specifying the purpose, source, nature, and categories of data collected. The notice must also mention the identity and contact details of the data protection officer, the entities with which the data will be shared, and other information pertaining to grievance redressal.
- The bill restricts the data fiduciaries from storing the data of an individual over a specified period of time. But the approval of the data principal the fiduciaries can retain such data.
RIGHT OF THE DATA PRINCIPAL
Data principal refers to the person about whom the information is being collected. The essential framework of the bill is to confirm the data privacy of the individual by minimizing data breaches. The bill gave certain rights to the principals with the relevance of processing. It includes:
- They have the right to correct irrelevant, insufficient, or out-of-date personal data.
- The data principal can have access to the personal data which is being processed.
- They have the right to withdraw his/her consent at any time or can limit continuing disclosure of their personal data by a fiduciary if it’s now not necessary.
GROUNDS FOR PROCESSING PERSONAL DATA
According to the provisions of the bill, a fiduciary can process the data of an individual only with his/her consent.
However, there are certain exceptional circumstances where the personal info can be accessed without the consent of the data principal in case of :
- Medical emergency
- Legal purposes
- Need by the state to provide any benefit to the data principal.
When it comes to employer and employee, the superior (employer) can use the data of the subordinate (employee) without his knowledge on certain circumstances
- To provide any kind of benefit to the employee
- For recruitment and termination of an employee
- To verify the attendance of the employee
The bill also specified some penalties for not following its provisions.
- One can be punished with a fine of Rs 5 crores or 2% of the annual turnover of the company involved, whichever higher if no action was taken against the data leak.
- Processing and transferring of personal data without the consent by exceeding the provisions of the bill is punishable with a fine of Rs 15 crores or 4% of the annual turnover of the company involved, whichever is higher
RESTRICTIONS ON CROSS BORDER TRANSFER OF PERSONAL DATA
The draft bill submitted by Justice Sri Krishna committee invited a lot of criticism on ‘The data localization policy’. According to this bill, every cross border transfer of data requires a copy to be saved in India. Further, it stated that any data can be transferred or processed outside India only with the consent of the data principle. According to the bill, there is no restriction on the transfer of data. The central government has the right to classify a certain set of data as “critical personal data” which can be processed only in India.
The central government has the authority to liberate any of the provisions of the act:
- In the interest of public order, sovereignty, state welfare.
- For preventing a person from committing a cognizable offense.
Justice BN Sri Krishna who headed the committee which drafted the bill stated that the draft bill and the revised bill were different. He reportedly said that this bill is a piece of legislation that could turn India into an Orwellian state.
Apar Gupta of the Internet Freedom Foundation says that the data protection bill forgot about the citizen’s privacy while concentrating on the security and technical aspects of data processing. He also mentioned that the word ‘security’ was mentioned 49 times and the word ‘technology’ was mentioned 56 times but ‘privacy’ was mentioned only once.
Advisor Gautam Bhatia’ felt that this bill would lead to the government’s surveillance on citizens who question the privacy and freedom of the democratic state.
Social media intermediaries play a prominent role in Bill’s criticism on several fronts. When compared with the ‘Draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018’ it is hoped that the Personal Data Protection Bill will prove the lesser evil.
V. Chithra (The Tamil Nadu Dr. Ambedkar Law University, Chennai)
V. R. Sujith Suriya (The Tamil Nadu Dr. Ambedkar Law University, Chennai)