PERSONALIZE, PRIVATIZE AND PROTECT: THE THREE Ps OF DATA PRIVACY (By- Navya Shukla)
PERSONALIZE,
PRIVATIZE, AND PROTECT: THE THREE P'S OF DATA PRIVACY
Authored By- Navya Shukla
Abstract
The internet has created entirely new
markets for the collecting, organising, and processing of personal data, either
directly or as a vital component of many business models. India currently lacks
explicit data protection or privacy legislation. However, the relevant data
protection laws in India are the Information Technology Act, 2000 (“IT Act,
2000”) and the Indian Contract Act, 1872. A Committee of Experts was formed to
examine various aspects of data protection, the work of the Committee resulted
in the creation of the first draft of the Personal Data Protection Bill in
2018. Consequently, the report of the Joint Parliamentary Committee on the
proposed data protection law has given the Data Protection Bill of 2021 a new
tone and tenure. The author through this article aims to analyse the elements
of data privacy in Indian legislation essentially focusing on the PDP Bill and
whether the laws adequately promote the utilities of the internet.
I.
Introduction
In the well-known case of Justice
K.S. Puttaswamy v Union of India[1],
the Supreme Court issued a unanimous decision affirming that the right to
privacy is a fundamental right guaranteed by the Indian Constitution. The
Hon'ble Court also advised the Central Government to draw up a concrete data
protection law for the country that protects the interests of the individuals
as well as of the state while encouraging technological innovation and
entrepreneurship. The Court reasoned that because there is no effective data
protection law in place, determining what rights citizens possess is difficult,
rendering the fundamental right to privacy practically useless.
Indian legislators were jolted awake
by the Supreme Court's recognition of the right to privacy as a basic right
under Article 21 of the Indian Constitution, and felt compelled to craft the
necessary laws. Indian WhatsApp users are outraged by WhatsApp's most recent
privacy policy amendment, which has exposed flaws in Indian data protection
legislation. The bill in question is based on the General Data Protection
Regulation[2]
(“GDPR”) of the European Union, and it aims to protect individuals’ personal
data, which is regularly acquired by digital media for a variety of reasons. A
layman may be unaware of how far his or her data has travelled and who has
access to it in such instances.[3]
As previously noted, the IT Act, 2000[4]
now oversees data privacy and protection in India, and an entity can be held
accountable for the unauthorised use of an individual's data or personal
information, as well as any negligent act using such information. However, one
of the legislation’s flaws is that the scope and meaning of “sensitive personal
information” are limited, and the legislation’s restrictions do not apply to
government agencies that use residents’ data.[5]
Individual ownership over their data, the ability to track who collects their data,
where it is held, how it is used, and what recourse they have if their data is
misused are all principles that make up a good data protection strategy. There
have been far too many instances where personal information, whether anonymized
or not, has been used with malicious intent.
As a result, the PDP Bill, 2019,[6] is
an attempt to protect individuals' privacy in connection to their personal
data, as well as to regulate the interaction between persons and companies that
process this data. It is also determined to promote innovation through digital
governance in order to establish a
robust digital economy. On December
11, 2019, the Ministry of Electronics and Information Technology introduced the
PDP Bill, 2019 in the Lok Sabha to restructure India's data protection
management, which was previously managed by the IT Act, 2000 and its rules. The
PDP Bill is mainly consistent with the requirements of the Draft Personal Data
Protection Bill, 2018, and is broadly inspired by the principles of the European
Union's GDPR, 2016.
II.
Key Features Of The Pdp Bill
The Joint Parliamentary Committee
gave its long-awaited report to the Indian Parliament on December 16, 2021,
after two years of deliberation on the Personal Data Protection Bill, 2019.[7]This,
hopefully, will be the ultimate consequence of a succession of JPC extensions,
paving the way for a solid data protection law in the world's greatest
democracy.
The PDP Billseeks to regulate an
individual's personal data, including its collection, storage, processing, and
divulgence. Following are certain key takeaways of the Bill:
·
It
defines "Sensitive Personal Data" as financial data, health data, an
official identifier, sex life, sexual orientation, biometric data, genetic
data, transgender or intersex status, caste or tribe, religious or political
beliefs.[8]
·
It
seeks to govern both companies and government agencies involved in the
processing of an individual's data, which is currently limited to companies
under the IT Act of 2000.
·
A
'data principal' is a person whose data is being disclosed, processed, and used
and who has been granted the rights to information, correction, completion,
erasure, transfer, restricting disclosure, and withdrawal of their data.
·
A
'data fiduciary' is the entity that collects and stores the data of a data
principal. Certain obligations apply to data fiduciaries when it comes to the
processing of personal data. Such processing, for example, should be subject to
certain purpose, collection, and storage constraints. Personal data can only be
processed for specific, clear, and legal purposes.
·
Furthermore,
all data fiduciaries must implement certain transparency and accountability
measures, such as implementing security safeguards and establishing grievance
redressal mechanisms to address individual complaints. Certain fiduciaries may
be designated as "significant data fiduciaries," and they will be
required to take additional accountability measures, such as conducting a data
protection impact assessment before conducting any large-scale sensitive
personal data processing (including financial data, biometric data, caste,
religious or political beliefs).
·
The
PDP Billwill apply to data fiduciaries or data processors who are not
physically present in India if they process personal data in connection with
(a) any business carried on in India, (b) systematic offering of goods and
services to data principals in India, or (c) any activity involving profiling
of data principals within the territory of India.
·
It
proposes establishing a Data Protection Authority to serve as a grievance
redressal forum for an aggrieved individual whose grievances were not
adequately addressed by the data fiduciary.
·
Exemptions
have been provided for processing personal data without the consent of the data
principal in certain circumstances, such as (i) when required by the State to
provide benefits to the individual, (ii) legal proceedings, and (iii)
responding to a medical emergency.[9]
·
Personal
data has been defined in terms of identifiability standards. Although
'anonymised data' is not covered by the provisions, the Central Government is
empowered to create policies directing data fiduciaries or data processors to
share anonymised data or non-personal data to enable better targeting of
service delivery.
·
The
PDP Bill emphasises compliance requirements for all forms of personal data,
expands individuals' data rights, establishes a central data protection
regulator, emphasises the restrictive conditions for personal data transfer,
lists the penalties for reckless de-identification/misuse of data, and
establishes data localization requirements for certain forms of sensitive data.
·
Any
entity that re-identifies and processes de-identified personal data without
consent faces a penalty of up to three years in prison, a fine, or both.
III.
Analysis And Impact Of The Bill
With the Indian economy becoming
increasingly digital, a regulatory sandbox may be required. In certain cases,
exempting government agencies from the PDP Bill's restrictions may contradict
the bill's goal and jeopardise an individual's fundamental right to privacy.
The data localization rules may generate general security and national security
concerns. The PDP Bill declares that the government must have access to
"important" or "sensitive" personal data, such as religious
or political beliefs, if necessary to defend national interests, but such
unlimited access to these informationcould lead to data misuse.[10]
Furthermore, the concept of the right
to be forgotten has been discreetly placed in the PDP Bill under the right to
erasure. The idea for the development of this right is that a person should be
able to govern their data by requesting that data processed by a data fiduciary
be erased.Users will be able to request that companies remove their personal
data, which means they will have the right to be forgotten if their purpose has
been met or if they desire to withdraw their consent. However, the PDP Bill
grants only a limited and arbitrary right, requiring the consent and scrutiny
of an Adjudicating Officer before the data can be wiped.
The scope of the Personal Data
Protection Bill has been enlarged in response to the JPC Report[11]
to include both personal and non-personal data. Instead of "Personal Data
Protection Bill," the bill is now known as "Data Protection Bill
(Bill)." Because "it is impossible to discriminate between personal
and non-personal data when mass data is collected or conveyed," both
categories of data will be regulated by the same regulator. The inclusion of
non-personal data, including anonymized data, in the scope may be a sensitive
issue, as some of the non-personal data will be considered proprietary by
enterprises who have invested large resources to obtain it.
The establishment of the DPA and
other accompanying infrastructure, as outlined in the study, are some critical
activities that must be done in stages. Companies must quickly embrace and
implement a successful compliance plan by focusing on investments and alignment
of people, process, and technology. Both the government and private firms must
implement dedicated training and awareness programmes to train the staff and
assure timely compliance.
IV.
Conclusion
The Data Protection Bill is a
much-needed and long-awaited piece of legislation that would replace India's
current archaic, obsolete, and inadequate data protection policy. It would
assist preserve individuals' privacy rights and promote fair and transparent
data use for innovation and growth, unlocking the digital economy, in
comparison to present standards. It has the potential to create jobs, increase
user understanding of their privacy, and hold data fiduciaries and processors
accountable. Furthermore, with the rapid adoption of cutting-edge technologies
such as blockchain and artificial intelligence, it would be worthwhile to track
and study how the current set of regulations would be applied to frameworks
based on decentralisation and anonymization.
Despite being influenced by the EU
General Data Protection Regulation, India has developed its own approach to
data protection, including merging personal and non-personal data under one
roof, data localization, hardware device coverage, social media platform
management, and more. Though it still has certain flaws, it will bring India up
to speed with other countries' rigorous data privacy rules once completely
implemented. Companies should start preparing for compliance with the various
provisions as soon as possible. Enterprises should
contemplate conducting periodic audits and assessments of their privacy
procedures in order to better visualise the types of data collected, its flow
within the company, storage timelines and locations, and to initiate
remediation steps to close any gaps they discover.
Compliance with the requirements of
data privacy can be difficult in today's information age. However, if
organisations are proactive and plan ahead of the enforcement date, this does
not have to be the case. Organizations can confidently embrace the Bill and,
once compliant, consider it a competitive advantage by implementing a tiered,
comprehensive data security strategy.