Publication
RIGHT TO PRIVACY AND THE PERSONAL DATA PROTECTION BILL, 2019
23 Jun 2021
Nayana

 

In today's age rapidly moving towards digitalization, an individual can be evaluated by the data generated by him. Information about our very existence can be stored in data points, and when it gets materialized, various parties and individuals can try to access our personal data. However, today's world operates by having access to such data and processing it. Hence, how one's data is collected, shared, stored and used and by whom has the potential to affect one's daily life significantly. Under such circumstances where data mediates the relationship of the public with government and private corporations, it is incredibly crucial to have a law that would ensure data security and protect an individual's privacy.

Right to Privacy was made a part of the Right to Life and Liberty under Article 21 as a fundamental right in the KS Puttaswamy v Union of India (2017) 10 SCC 1 judgement passed by the Supreme Court in August 2017. This was one of the landmark events which highlighted the importance of the Right to Privacy and gave it its due recognition in India. Right to privacy, which includes the protection of individual privacy has been dealt with by criminal law, property law and the law of torts since the beginning. After it was added under the multi-dimensional scope of Article 21, the right obtained an intrinsic value in the Indian Constitution.

The Data Protection Bill of 2019 is one of the pillar steps taken by our Constitution towards setting definite rules in the identification of personal data of individuals, the processing of such data, the rights associated with it, etc. This Bill was proposed to provide for a better system and solve the apertures in the Information Technology Act of 2000. Contrary to the provisions of the IT Act 2000, this Bill deals with the companies and the government as well. The 2017 judgement delivered that privacy of personal data was a crucial aspect of the right to privacy, and with regard to the same, a Joint Parliamentary Committee headed by Honorable Justice MrBN Srikrishna was set up in July 2017 to study the existing problems pertaining to data protection in the country. The recommendations of the report and the Draft Personal Data Protection Bill, 2018 submitted by the Committee to the Ministry of Electronics and Information Technology formed the basis of the Statement of Objects and Reasons mentioned in the Personal Data Protection Bill of 2019.

The Personal Data Protection Bill, 2019 creates a fundamental framework for collecting, disclosing, sharing, processing and storing of personal data of individuals within the territory of India. It specifies the rights of the data principles- the individuals who provide the data, the obligations of data fiduciaries- the entities that collect and process and data and the powers of the State over the data and the processes. The Bill draws a detailed outline of accountability and transparency measures, powers and obligations of all parties involved in the processing of data. It also establishes a Data Protection Authority for monitoring this process and for individuals to seek redressal. This Bill was presented in the Lok Sabha by Honorable Minister MrRavi Shankar Prasad, Minister of Electronics and Information Technology in December 2019. Since then, there has been a lot of criticism for the Bill being raised. Despite its attempts to better protect the data rights of individuals in India, the Bill does have certain ambiguous provisions that have given rise to heated controversies and are claimed to be violative of right to privacy itself.

The protection and monitoring of data is quite a complicated concept, and this significantly depends upon the classification and the definition of the types of data provided by the statute. Data can be broadly distinguished as personal and non-personal data. Personal data refers to physical characteristics and traits, sexual orientation, religious affiliation, etc., of an individual and inferences drawn for the purpose of profiling. It is basically a primary source of identifying an individual. Hence, its protection is fundamental to protect one's privacy. Personal data further includes sensitive data and inferred data. Certain problems that arise out of the Bill are the classifications that it provides under personal data. The Bill mentions sensitive personal data and critical personal data, but it doesn't define what the latter means. It also mentions that the State would have access to the "inferred data" of an individual. This term is also not defined under Section 3 and creates a massive bracket of access to the government with indefinite boundaries to the "data that can be inferred", also harming the intellectual property rights of data fiduciaries.

A significant contention that has been raised against the Bill is about the sweeping exemptions provided for the State in major provisions. This Bill, under Section 12 gives the Central government to provide an exemption for any of its agencies from any one or all provisions on the grounds such as "function of state", this includes the interest of public order, the security of the State, for the purposes of sovereignty and integrity of India and for maintaining peaceful international relations. Chapter VIII, including Sections 35 to 40, of the Bill, exclusively talks exemptions to all of its other provisions, and this has been claimed to be a crucial chapter which allows parties to conveniently avoid their obligations. Section 35 states that the Central Government can exempt its agencies entirely from the ambit of the Act, while Section 37 states that the State can exempt data processors. Section 36 states that exemption can be provided for investigation, detection, and prosecution of an offence; it can be used to enforce laws, legal proceedings, exercising judicial functions, and the benefit of the public and journalistic purposes. Section 38 states that for research, archiving, and statistical purposes, the provisions can be exempted. As detailed as the provisions creating restrictions are, the provisions providing exemptions can merely make all the others redundant. This, by function, paves the way for the government not to be subjected to the laws in the Bill. This would potentially centralize the power in the hands of the State, which could now collect, process and store the public's data for any and all of its purposes. Critics have claimed that this would lead to the creation of an Orwellian, or perhaps, a surveillance State that goes against the welfare of a free society and by extension, goes against democracy itself. This increases the executive's control by a vast amount where the judiciary would be absent.

Consent is another parameter with high legal importance addressed in the Act. Section 11 of the Act mandates that free, informed, and explicit consent is essential for the processing of personal data. It emphasizes the burden of proof on the data fiduciaries and the implications of withdrawing one's consent as well. However, Section 14 states that consent can be neglected entirely for certain "reasonable purposes" which include mergers and acquisitions, credit scoring, recovery of debt, operation of search engines, etc. This creates a vast grey area for the data fiduciaries to collect and process sensitive personal data without any accountability towards the data principles. Furthermore, the data fiduciaries are given the exemption of not having to adhere to minimum data retention, purpose limitation, etc., for purposes of law enforcement, making legal claims and exercising judicial functions.

Under Chapter IX, Section 41, the Act establishes the Data Protection Authority, which is to monitor the application of the Act and provide a redressal mechanism in cases of a data breach. As per Section 42, the DPA consisting of a chairperson and six members, are to be appointed by the Cabinet Secretary and other Secretaries in-charge of Legal Affairs, IT, etc. This implies that the board would be appointed by the executive branch and that the Data Protection Authority cannot be called an independent body, since the government itself stands as a major stakeholder in the provisions of the Act.

The Bill suffers from further essential conundrums. The Bill provides for localization of data, which means that the data is to be stored within the territory of India. Localization and mirroring requirements, coupled with extensive exemptions to the State and a non-independent Data Protection Authority would weaken the security of citizens' data in the international sphere, and further, foreign territories such as the European Union with its General Data Protection Regulations (GDPR), which hold data security very highly will reduce outsourcing data processing activities to India from a cross country data transfer perspective. Furthermore, the Bill provides the government with access to non-personal data or anonymized data for better delivery of services based on evidence. The data fiduciaries, however, claim that this would infringe upon their intellectual property rights by revealing their trade secrets. Since there exists a Committee of Experts dealing with the same, the inclusion of non-personal data in the Bill is questioned by their community. Another major concern would be that none of the provisions in the Bill specifies a compliance period, thereby creating ambiguity for all stakeholders regarding the same.

Ultimately, a pivotal question to be understood is whether the government treats an individual's data as a public good or a private good. The Economic Survey of 2018-19 states that the government would treat data as a public good, monetize it and use it for the welfare of the State which implies that it can also be exploited, since it as a public commodity. While it can be said that the intention with which the Bill has been introduced has been attempted to be addressed, nevertheless, it cannot be ignored that certain new problems have been given rise to. The government's answer to the problem of lack of data protection laws in India through the Bill are inclined towards maximizing power at the hands of the State. It is undeniable that the Bill has certain provisions which can effectively curb data crimes and ensure protection, but there are also extensive exemptions given to the State government who can go ahead and violate the same provisions if they wish to. While the government claims that public consent would be at the centreof processing data, it also mentions that all parties in various instances can compromise this. We can see two ideas which run parallel; the idea that the Bill protects an individual's data from misuse by other individuals- which something of prime importance in the digital era, and also the idea that giving such sweeping exemptions to the State could potentially aid it in turning into a surveillance state, defying the democratic principles of the nation in itself. The Personal Data Protection Bill, 2019 attempts to set a uniform framework for protecting and in doing so, it infringes citizens' right to privacy and goes against the spirit of democracy. Therefore, certain provisions of the Bill have raised discomfort for its major stakeholders, beingthe data principals and data fiduciaries, have been a subject of controversy. While some provisions must be retained in Bill for their contribution, there are others which need serious revision and consideration by the Parliament- which would limit the government's extensive powers and re-instil assurance among the public.