Right to privacy is a multidimensional concept. In the context of personal data, it refers to the specific right of an individual to control the collection, use and disclosure of his personal information. Personal information could be in the form of identity details, personal interests, habits, activities, records of family, education, communication, health, finance, etc. Over the last two decades, the issue of privacy – in particular, the collection, processing and sharing of personal data of individuals – has become increasingly prominent in India. This is the period which saw the advent and flourishing of various internet-based businesses in India which are dealing with the collection, organisation, and processing of personal information, whether directly, or as a critical component of their business model.
On December 11, 2019, the Minister of Electronics and Information Technology, Ravi Shankar Prasad introduced “The Personal Data Protection Bill” in the lower house. The bill aims to ensure, inter-alia, the protection of individuals’ privacy in relation to their personal data, the transparency of organisations and institutions processing personal data, and to establish a Data Protection Authority (hereinafter referred to as “DPA”), for the various purposes that the Bill seeks to fulfil. The Bill is the response of the Government of India to the long-standing need for a “data protection regime” to protect citizens’ personal data that they knowingly or unknowingly provide to various internet websites. The Government of India constituted a committee of experts on Data Protection on 31st July 2017, which was headed by Justice B. N. Srikrishna, to examine the issues pertaining to the Data Protection in India, and the report of this Committee was submitted on 27th July, 2018. Later, the Government placed the Bill in public domain, for feedback and suggestions from various stakeholders, ministers and consultants. Based on these suggestions the Union Cabinet approved a revised Personal Data Protection Bill, 2019, on December 4th, 2019. Later, the Bill was introduced in the Lok Sabha on December 11, 2019 and was referred to a Joint Select Committee of both the houses.
The 2019 Bill is broadly based on the principles of the General Data Protection Regulation, 2016 (the “GDPR“) and the landmark judgment of the Supreme Court of India: Justice K.S. Puttaswamy (Retd.) & Anr. v Union of India,1 wherein right to privacy was upheld as a fundamental right under the Indian Constitution. The 2019 Bill intends to protect the privacy rights of individuals with respect to their personal data and governs and regulates the organizations processing such personal data. The 2019 Bill has been formulated largely in line with the provisions of the Draft Personal Data Protection Bill, 2018 (the “2018 Bill“) which was released on July 27, 2018 along with the report by the Committee of Experts under the chairmanship of Justice B.N. Srikrishna.
APPLICABILITY OF THE BILL: –
The Bill regulates the processing of personal data by States, companies incorporated in India, and international companies dealing with personal data of individuals in India. The Bill sets out the fiduciary data responsibilities (i.e., the body deciding the intent and means of processing personal data) that certain accountability and transparency steps must be taken when detecting the data. The Bill requires personal data to be handled by data fiduciaries only if the data principal (i.e. the person to whom the data relates) has given his permission.
The Bill also vests the Central Government with substantial standard-setting powers and tasks the DPA with implementing the same. An important characteristic of the Bill is, its broad scope of applicability. If implemented, it would apply to all companies other than those expressly exempted across India. This will involve any organization that collects data using automated means. The DPA shall have the power to define small entities based on turnover, data volume handled and data collection purposes.
The Bill further provides a legal framework for the collection and use of personal information. While providing a collection of rights and obligations for the processing of personal data, the Bill proposes the creation of a DPA, to control and implement the legal structure.
The Bill also proposes that the personal data of individuals should be accessed only on the basis of free, informed and detailed consent, with provisions that allow such consent to be withdrawn. Any processing of data without such approval would constitute a breach, which could result in penalties under Sections 11 and 57 of the Personal Data Protection Bill, 2019. Section 11 of the Bill establishes a separate category of ‘sensitive personal data’ and states that such data can only be processed with ‘explicit consent’.
“The right to be forgotten” reflects a major part of the legislation. Under Section 20, the data principal is entitled to avoid the continued disclosure of his personal data if the purpose of the data has been served, if the consent of the data principal has been removed or the data has been unlawfully released. The Bill also empowers the DPA to take measures to protect individual rights, prevent abuse of personal data and ensure compliance with the bill.
NEGATIVE ASPECTS OF THE BILL: –
Even though the bill empowers the individual with certain rights, it has many loopholes. The government is entitled to access the personal data under wide reasons including national security, sovereignty, integrity etc. This may lead the state to intrude in the lives of the citizens defeating the purpose of the bill. The procedure of appointments of the members is also widely contested Data Localisation suppresses the ‘global’ context of marketplace. So, the new startups which aim at global growth will face losses. Under this bill, the tech-giants like Facebook and Google are asked to allow the users to ‘voluntarily verify’ their accounts in manner that is to be prescribed in the future. These perfectionist policies along with the broad exemptions are criticised widely. Although, the main purpose of the bill is to protect the privacy of the individuals but the provisions prove contrary to this fact. There is a need to restructure the wider objectives of the bill along with the minute details.
The Personal Data Protection Bill is India’s move towards providing, inter-alia, data privacy for its people and avoiding misuse of their data. It places great emphasis on the individual’s consent before taking up his/her data for any purpose. It also has provisions for the establishment of an Indian Data Protection Authority to ensure proper enforcement of the proposed Bill. It is a long-awaited legislation, as India did not have a comprehensive law to protect its citizens’ data, leaving citizens unarmed while being exposed to a world full of cyber-crimes. Today the internet has become an integral part of our lives. Almost all the things that we do, whether public or private, official or unofficial, include the use of the internet. A large amount of data is transferred whilst performing these activities. In such a situation, ensuring data security is important, because a person’s data in the wrong hands, can have serious repercussions. There are cases where users’ data privacy has been violated, knowingly or unknowingly, by social media sites like Facebook and WhatsApp. Therefore, a law that seeks to protect citizens’ privacy is quintessential. The Personal Data Protection Act is intended to meet this obligation. However, it is mired with certain shortcomings that can end up offering very little of the protection that the legislation promises. But the Bill also has scope for change, as it has been referred to a Joint Parliamentary Commission. The panel is expected to discuss the Bill’s shortcomings and to come up with a Revised Draft Bill that will provide Indian people with a promising legislation that delivers on the data privacy promise.