India is the second-largest online market in the world, home to nearly 500 million active internet users. Unsurprisingly, the rising number of internet users in the country has raised concerns for data security and privacy, especially considering recent breaches by WhatsApp and murky regulations by the increasingly popular TikTok. The Personal Data (Protection) Bill, 2018, slated to be discussed in the ongoing winter session of Rajya Sabha, aims to provide a regulatory framework for personal data processing and security–but are its provisions enough to ensure individual privacy?
In Justice K S Puttuswamy v. Union of India, 2017, the Supreme Court of India held that the Right to Privacy is a fundamental right, even in the digital sphere.
Currently, personal data enjoys a certain amount of protection under Section 43A of the existing Information Technology Act, 2000, which says that entities negligent in implementing ‘reasonable security practices’ are liable to pay damages to the victim. However, there are no specified limits for the compensation that can be claimed by those affected.
Even the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011, have failed to provide adequate mechanisms for the regulation and indictment of data abusers.
Thus, in 2017, the Justice Srikrishna Committee was constituted to recommend policy changes to bridge this gap. In July 2018, the Committee submitted a 176-page report and the Personal Data (Protection) Bill to the Ministry of Electronics and Information Technology, and the Bill is rumoured to be discussed in Parliament very soon.
The Bill uses the terms ‘data principal’ and ‘data fiduciary’ to signify individuals and government/private entities respectively, and extends even to foreign entities that process personal data connected to businesses and principals within the Territory of India.
It also recognizes the obligations of entities towards individuals and their data, such as obtaining consent and notifying principals on the nature and purpose of data processing. It stresses the importance of transparency for fiduciaries by enforcing record-keeping and privacy by design. Such provisions seem like a welcome change to make firms more accountable for the personal and sensitive personal data that they process.
Furthermore, the Bill creates provisions for the establishment of a central Data Protection Authority (DPA) to regulate and supervise fiduciaries. There are concerns among some legal experts that the regulatory structure of the DPA is not sufficiently independent, and that there may be a conflict of interest in the reportage of data breaches by fiduciaries as they are assessed, in part, on their proclivity towards such instances.
On an individual level, the Bill recognizes the importance of rights that principals have over their data–such as the right to be forgotten, the right to correction, the right to portability, and the right to know when their data has been breached.
The importance of taking consent and notifying principals of the nature and purpose of data processing has been emphasized, as have the grounds for processing personal and sensitive data of both adults and children.
However, the Bill has some serious flaws in this regard, the most important and controversial one being that of data localization. This section of the Bill requires data fiduciaries to keep “at least one serving copy” of principal personal data within the Territory of India.
There are also exceptions made for principal consent in certain kinds of processing of this localized data, including processing in the “interest of national security”, for journalistic purposes, government benefits and legal proceedings, permitting the use of personal data by the government for the detection, prevention, and investigation of any contravention of the law.
Put simply, these provisions would require foreign internet-based services like Facebook, Google, Uber, and Twitter to physically host their user data in the country, while giving unrestrained access to personal and sensitive data to Indian law enforcement, which the latter can use without user consent in certain cases.
The case of PUCL vs. Union of India, 1996, defined a certain legal framework for government surveillance that concentrated the power of ordering and reviewing all surveillance in the hands of the executive without any third-party review, court order, or notification. But while that was adopted as a temporary solution by the SC, it seems to have carried on to the Centre’s view of personal data security.
The kind of unbridled personal data access that this Bill provides to the government and law enforcement agencies poses a massive threat to the citizens’ fundamental Right to Privacy.
Such provisions also breach multiple international human rights standards– The International Covenant on Civil and Political Rights, ratified by India, states that nobody will be subjected to unlawful and arbitrary interference with respect to their privacy, home, family, and reputation. In 2013, by way of Resolution 68/167, the United Nations General Assembly expressed a deep concern for the negative impact of surveillance on human rights and called upon States to protect and respect the Right to Privacy in the digital realm.
Overall, the Bill can be considered a positive effort in regulating fiduciaries, given the paucity of time given to its drafters. Yet, it has substantial loopholes that would prove to be more risky for individual users than current frameworks.
There is already a growing mistrust among Indians towards the use of personal data by those in power, as evident in the cases of Aadhaar, the proposed facial recognition system, and the arrests of people posting dissenting content on their social media profiles. Whistleblowers have also exposed how Indian political parties already mine people’s personal data for their electoral and political agendas.
It is crucial that the right to privacy of individuals is protected at all costs, especially in the current political climate, where the definition of ‘national interest’ is becoming seemingly less congruent with the demands and rights of India’s citizens.
Therefore, while this Bill has progressive clauses related to fiduciary accountability, passing it would be a step towards losing individual privacy and legitimizing the practice of large-scale governmental data mining and mass surveillance.
Reference List:
Balaji, S. (2019). India Finally Has A Data Privacy Framework -- What Does It Mean For Its Billion-Dollar Tech Industry?. Retrieved 27 November 2019, from https://www.forbes.com/sites/sindhujabalaji/2018/08/03/india-finally-has-a-data-privacy-framework-what-does-it-mean-for-its-billion-dollar-tech-industry/#6760615670fe
Draft Personal Data Protection Bill, 2018. (2019). Retrieved 27 November 2019, from https://www.prsindia.org/billtrack/draft-personal-data-protection-bill-2018
Ernst & Young LLP. (2018). Personal Data Protection Bill-2018. Retrieved from https://www.ey.com/Publication/vwLUAssets/EY-india-personal-data-protection-bill-pdpb/$FILE/EY-india-personal-data-protection-bill-pdpb.pdf
Majumdar Upreti, P. (2019). The looming question of data privacy. Retrieved 27 November 2019, from https://www.thehindubusinessline.com/blink/cover/the-looming-question-of-data-privacy/article28578179.ece
Ministry of Electronics and Information Technology. (2018). THE PERSONAL DATA PROTECTION BILL, 2018. Retrieved from https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
OHCHR |Right to Privacy in the Digital Age. (2019). Retrieved 27 November 2019, from https://www.ohchr.org/en/issues/digitalage/pages/digitalageindex.aspx
Three Problems with India’s Draft Data Protection Bill. (2018). Retrieved 27 November 2019, from https://www.cfr.org/blog/three-problems-indias-draft-data-protection-bill
Image Credit: Small Business