PERSONAL DATA PROTECTION BILL 2018 & 2019 (By- Rishav Kumar)
PERSONAL DATA PROTECTION
BILL 2018 & 2019
Authored By- Rishav Kumar
Table Of
Contents
CONTENTS
1. INTRODUCTION TO THE BILL
2. SRI KRISHNA COMMITTEE
3. DATA FIDUCIARY ACTIVITIES
4. PERSONAL ANALYSIS
5. CONCLUSION
PERSONAL DATA PROTECTION BILL 2018 & 2019
Introduction
The
Personal Data protection bill was introduced in Lok Sabha in 2019 by Minister
of Law and Justice Dr Ravi Shankar Prasad to protect the privacy of
personal data which is a major concern in this ever changing “technological
world”. There are various reasons for the introduction of the bill by the
government. They are:
1. The 2018 supreme court judgement
declaring ‘privacy’ as fundamental right under article 21 of the constitution.[1]
2. A subsequent push from the supreme
court to frame such law.
3. The Sri Krishnan Committee
recommendation and draft on privacy protection.
Justice Js Puttaswamy V.S. Union Of India Case:
The major
essential facts:
The case was against AADHAR
PROJECT as it violates article 21 related to data privacy of the constitution
which provides a database of every citizen of India by establishing personal
identity and biometric information of every Indian which requires fingerprints,
eyes-scans and mobile number of every citizen of India. Registration has become
compulsory for majority of purposes such filing tax returns, opening bank
account, securing loans, buying and selling property or even making purchases
of 50000 and above.
In 2012 retired Justice
K.S. PUTTASWAMY filed a petition in supreme court challenging constitutional
validity of AADHAR as it violates the right to privacy. Justice puttaswamy
argued that making AADHAR mandatory violates fundamental right. The government
argued that there is no violation of right to privacy as the drafters of the
constitution did not intend to subject the power of search and seizure to a
fundamental right of privacy[2]is the unanimous view of eight judges bench and privacy is not a
fundamental right[3] is a major view of four judges bench.
The case came before three
judge bench which ordered to refer the case to a Five judge bench on 11 august
2015. The Five judge bench ordered to refer the case to a Nine judge bench on
18 July 2017. Lastly the case was addressed to a Nine judge bench.[4]
The case judgement:
The nine judges give six
different opinions on the case producing the longest reasoned judgement in the
history. The leading judgement is given by Dr D.Y. CHANDRACHUD J it was
saidthat the Indian general ordinance on privacy and nature of constitutional
rights. It also considers comparative law on privacy from various countries
outside India and a variety of criticisms from famous feminists, journalists
& reporters.
Obligations were
unquestionable as it didn’t include any right of privacy, this was the issue of
the petitioners, it causes a problem to the justice as it violates some major aspect of the ordinance.
The article 21 states that
“No person shall be
deprived of his life or personal liberty except according to procedure
published by law.”
CHANDRACHUD J point out
that the provisions contain legal aid, shelter, freedom from torture etc.
privacy is incident of fundamental liberty. Justice CHANDRACHUD analyse and
found out the most important points of dignity.
Dignity cannot exist without privacy. Both
reside within the inalienable values of life, liberty and freedom which the
Constitution has recognised. Privacy is the ultimate expression of the sanctity
of the individual. It is a constitutional value which straddles across
the spectrum of fundamental rights and protects for the individual a zone of
choice and self-determination.
The conclusion was given that the data privacy
should be included under article 21 of the constitution. Although it is not a
fundamental right it is given this priority because it meets legality, a need
for legitimate aim and proportionality and thus given such a consultation under
the constitution. This judgement is known in the history of constitution
because it a longest judgement and it provides a basis of living. Also it is
refused and transferred many times to different judges of the court.
Justice Sri Krishna Committee
Sri-Krishna Committee of Telangana or the Committee for
Consultations on the Situation in Andhra Pradesh (CCSAP) is a headed
by former chief justice B.N. Sri Krishna. The committee deals with solicited suggestions
and views from political parties, social organisations, and other stakeholders.
The committee submitted a report on data protection law to the government.
Justice Sri Krishna handed over the report to Ravi Shankar Prasad. This report
deals with data handling and processing practices and was eagerly awaited by
both Indian and foreign companies for data protection.
The thoughts of justice sri
Krishna are such that he says that, “data privacy is a burning and highlighted
issue and the three major concerns on this issue:
·
The citizen rights have to be protected
·
The responsibility of states had to be defined
·
And last that data protection cannot be at the cost
of trade and industry.”
MAJOR
HIGHLIGHTS OF THE REPORT
Ø The law will have
official power to make legal decisions and judgements on issues related to
sharing of personal data if such data is being shared, transferred, disclosed
or processed in India.
Ø Functionally, the data
collected and processed should be entitled under Indian law whether it is whether
it is published actually in India or in some other country it should be
manifested under Indian law. It also empowers or give the government priority
to exempt the companies which processes foreign or international data outside
India or which is not present in India.
Ø The laws of the bill will
come into force in appreciable and synchronised manner.
Ø The data protection
law will set up a DPA which will be an independent regulatory body responsible
for the enforcement and effective implementation of the law. The Central
Government shall establish an appellate tribunal or grant powers to an existing
appellate tribunal to hear and dispose of any appeal against an order of the
DPA.
Ø The law will cover
protection of personal data from both public and private entities.
Ø Penalties are
imposed for the violation of data protection laws. The law, imposed penalties
and restrictions on violation which may amount to fines of very high value such
as percentage of total worldwide financial income of the year of past.
Ø Sensitive personal
data will include various types of information such as data’s of finances and
health, office identification, sex life& sexual orientation, biometric
& genetic data, transgender status and political beliefs of the person. Additionally,the
DPA will also be provided with residuary powers to notify further categories of
data according to the criteria set by the law.
Ø The law provides
that cross border data or transfer of personal data except critical personal
data will be responsible for all the misconduct of the transferee for the
damages cause to the principal i.e., key obligations held to the principal.
Critical personal data will be processed only in India and will be a
prohibition to cross border data transfer.
Ø There
will be a lawful basis for processing of personal data. The law adopted
a modern framework which makes the data fiduciary liable for the loss of data
principal by the application of product liability regime.
Data Fiduciary Activities In India
A data fiduciary
is commodity which is associated with processing of personal data, collection
of personal data, limitation and storage of personal data etc. A data can be
used for a variety of lawful and unlawful activities and to deal with such
activities a commodity of data fiduciary is set up by the government. It deals
with such activities and provide a safeguard for insuring and providing
security over internet. It is set up so that is prevent data security is a
responsible and synchronised manner and help to provide a reasonable feedback
for such authority given.
The government claimed that WHATSAPP has not informed the government
agencies about data privacy breach which targeted many Indian activists,
lawyers & journalists, response from WHATSAPP came that they have alerted
the government twice,” first in May and then in September”.The government took
up the issue oftraceability seriously,
during formal structured meeting at the highest level of ministry with both
international vice-president (Nick Clegg) and CEO, (Chris Daniels) of WHATSAPP
where they objected that their platform was safe. They added that not for the
once the government informed them about data privacy breach in the highest
formal structured meetings.
Spying Snowballs Into Political Controversy
·
The response form WHATSAPP came (as a defence) that they were among the
1400 people globally who were spied upon by unnamed entities using Pegasus
(Israeli spyware). This information was given to a few Indian journalist and
human right activists.
·
WHATSAPP also stated
that Pegasus exploited its video calling system by installing the software by
missed calls to snoop on 1400 selected global users, including nearly 30-40 in
India.
·
The owner of Pegasus
an Israel NSO Group had limited the sale of the spyware to state intelligence
agencies only as it has the ability to collect and mimic or duplicate data
fromtargetdevices. Pegasus software can be installed on devices as
"exploit links".
·
The government of
India initiated instant plans on the denial of purchasing Pegasus spyware from
NGO group.
·
The government also
get angry from journalists as they demanded clarification and questioned
WHATSAPP why it had kept the information hidden from government authorities
about spying the Indian citizens despite recent meetings with the CEO.
Features
And Loopholes Of The Bill
FEATURES
OF THE BILL
1. There are various kinds of personal
data such as sensitive personal data, personal data and critical personal data.
·
Sensitive
personal data includes financial data, sexual orientation, transgender status,
case/tribe, and religious and political beliefs. It may be transferred for
processing outside India with users consent or Data protection Authority or
Central’s government permission. “passwords” are not included in the sensitive
personal data list in the bill.
·
Critical
personal data is not notified by the central government and can be transferred
only in India.
·
Laws
have been made in respect of grounds for processing of personal data sensitive
personal data and critical data according to personal data protection bill,
2018.
·
There
are laws made for children in respect of personal and sensitive personal data.[5]
2. There are various “Data protection
rights” which includes right to confirmation and access, right to correction,
right to data portability, right to be Forgotten.[6]
3. This bill provides rights and powers
of Data protection Authorities of India in which includes terms and condition
of appointment of members, codes of practices, powers and functions of the
authority etc.
4. Penalties are imposed if laws are
broken which may extend up to five crore rupees or two per cent of its total
worldwide turnover of the preceding financial year, whichever is higher is
applicable.[7]
5. There are transparency and
accountability measures taken for transfer of personal data outside India. Some
miscellaneous powers are also given under chapter 10 of the bill which includes
power to remove difficulties, power to make new rules and regulation etc.
Loopholes Of The Bill
1. There is no judicial oversight. The
law empower the enforcement agencies to intercept messages and communication on
the grounds of sovereignty and integrity of India, security of the state and
public order.Due to such State capacity
concerns, in many countries such as canada, USA (through the FISA court), or Australia judicial control is built into the
domestic/foreign surveillance framework, through the process of overseeing and
approving warrants and surveillance requests. However, the current Bill
entirely sidesteps this issue.
2. There is no rule on non-state actors.
The bill does not expressly deals with surveillance by non-state actors.
3.
There is no reform on illegely
obtained evidence. Third, one of the biggest problems in terms of
surveillance reform has been the judicial sanction to admit illegally obtained evidence,
including tape recorded conversation.
This skews the incentive of law enforcement agencies to comply with the
(already weak) safeguards that are recognised in the law. Instead all it
does, is reiterate in section 42 that processing has to be done “in accordance
with the procedure established by law” – a requirement which, incidentally, has
been dropped in section 43 – without specifying any consequences for
non-compliance.
Additionally, the Bill uses the term “surveillance”
only once, while defining the term
“harm” in section 3(21)(x) as “any observation or
surveillance that is not reasonably expected by the data principal”, which in itself seems to indicate that certain kinds of
surveillance are to be “reasonably expected” from the State and private actors.
4.
There is no accountability for
intelligence agencies.
5.
There is discretion in
government for security and AADHAR.[8]
Personal
Analysis On Data Protection Bill 2018 & 2019
As per my personal analysis
certain saidimportant phrases such as "personal data",
"sensitive personal data", "critical personal data" and
"harm" are not properly defined in the Data Protection Bill which can
lead to vagueness among public,providers of serviceand other data fiduciaries.
The bill was with the Joint
Parliamentary Committee (JPC) till the date of 17 December 2019, where it was
being analysed by the JPC in discussionamong various sections of society. Data
protection authority (DPA) of India is being proposed by covering all the mechanisms,
interpretation and consultation over processing of personal data privacy in the
bill.
The JPC panel had taken a good
decision and issued an advertisement which invites the general public and
stakeholders to send their suggestions and give a proper feedback on the steps
taken on social media within a time frame of four weeks.
"Considering the elaborate
changes made from the draft bill of 2018, coupled with the suggestions given,
we urge the JPC to hold extensive and inclusive open house discussions on the
Bill before finalising its report. Also, recommendations received by it from
various stakeholders must be made public".
The hurdles or difficulties in the personal
data protection bill:
Ø The bill doesn’t provide a time limit to set up the DPA.
Ø There is absence of transitional providers which leads to ambiguity
on providers of service.
Ø It may be difficult to explain all provisions of the bill in an
adequate and phased manner when it will come into force or enacted by the
government.
Ø obligations of the bill are unquestionable which invite the risk of
overlaps in the system. It provides the powers to central government to access
non-personal data of the citizens or customers of India.
Ø The bill requires internet mediators to provide consumers or customers
with voluntary account verification option. This is done to solve the hurdles
of posts which are inappropriate in nature as provided under drafts of the
guidelines of the amendment.
Ø My personal Recommendation are such that they shall be remove the
amendments from the lawbecause it lacks the independence of DPA. Furthermore, a
committee of selection of membersis asserted in the law for the appointment of
members consists only of government executive.
Ø Moreover, certain powers are transferred from DPA to central
government such as notifying categories of sensitive personal data. This
weakens the powers of the DPA.
My personal
Recommendation suggests a committee for selection which consists of members of
judiciary, civil organisation and experts of various subject. It should
re-provide the capacity given to the government from DPA, along with making it
compulsorytohandle cost benefit analysis while exercising the powers.
Conclusion
The general purpose of
the law is to protect the individual against
violations of his personal right by handling person-related data.
Even with the adoption of legal and other protections violations of privacy remain
a concern for users. Personal data protection bill is a beneficiary uplifted
law in the country and have been a great help for protection of data but it
have some loopholes furthermore after he changes which need to be fix by the
government. The central government access a lot of power in relation to data
privacy. The data protection authority on the other hand have to be in command
of the central government because some of the major power have been given to
the central government. Appointment of members and certain powers of DPA are
under control of central government which makes the DPA a dependent authority
to the central government.
Either there should be an
neutral selection committee for DPA’S selection of members or the DPA should
have full authority and be an independent community which exercises all its
powers and functions within the government. Time limit should be made for the
DPA and its members and proper community should have been set up by the
government for this purpose. The rights of the guardian data fiduciary should
limit and some rights should also be given to the parents and guardian of the
children in relation to data privacy of the child (as the GDF have full access
to child data and does not require any consent of his parents or the guardian).
Penalties and compensation should be more strict in nature as there are a huge
number of hackers breaking the laws of data privacy. Whole so ever the data
protection bill is a good initiative taken by the government and can be more
prominent in nature if the government work on loopholes. Although the bill is
an historical boon in this “technological” society but there are certain
loopholes which can and may be fixed by the government to make the bill more
prominent in nature.
[1]
Article 21(3) includes right to privacy as integral part of the constitution;
JUSTICE K.S. PUTTASWAMY V.S. UOI, AIR
2017 SC 4161
Article 21(6) includes right to privacy as integral
part of life as is cherished constitutional value; RAM JETHMALANI V.S. UNION OF
INDIA (2011) 8 SCC 1: JT 2011 (7) SC 104: (2011) 6 SCALE 691
[2]MP
SHARMA VS SATISH CHANDRA ([1954] SCR 1077
[3]KARAK
SINGH VS STATE OF UP ([1964] 1 SCR 332
[5]CHAPTER
3,4&5 OF DATA PROTECTION BILL, 2018
[6]CHAPTER
6 OF DATA PROTECTION BILL,2018
[7]CHAPTER
10 AND 11 OF DATA PROTECTION BILL,2018