On 03 December 2019, Union Cabinet chaired by Prime Minister Narendra Modi gave the go-ahead to the updated version of the Personal Data Protection (PDP) Bill that aims to protect the rights of an individual over the data he or she generates, thus, erecting safeguards against the flow of sensitive information such as person’s financial statistics, password, sexual orientation, biometric details, genetic data or religious and political beliefs. PDP bill 2019, which is likely to be tabled in parliament during the current session, will have an impact on how a wide range of companies operates in the country that includes global giants such as Google, Facebook, WhatsApp, Twitter, Amazon or local biggies like Swiggy, Zomato or Flipkart. The bill proposes that the companies mandatorily store sensitive personal information on the servers located only in India. The same applies to critical data, which the government will define from time to time and may include information that, for example, has a bearing on national security or is military data.
In the year 2012, Blackberry Messenger, popular amongst its users as BBM, used by over ten million users in India alone, was facing a ban in India as the law enforcement agencies were not able to access the encrypted messages from BBM server and also the server was placed outside India. It was only when the company shifted the BBM server to India and gave its access to law agencies, that the ban was lifted. In the year 2018, it was revealed that Cambridge Analytica harvested personal data of millions of Facebook user’s profiles without consent and used it for political advertising purposes. On 21 August 2018, the CEO of WhatsApp was asked to ‘comply with Indian laws’, ‘set up a local office’ and ensure that ‘illegal messages were traceable’ for law enforcement purposes. WhatsApp acceded to the first two demands but rejected the third, arguing that it would compromise the privacy of its users. In a yet another incident, on 19 December 2019, the Delhi Police filed an FIR against M/s Score International Private Limited, a private company, on a complaint by the Defence Ministry, for allegedly not returning a database containing personal information of 45 lakh ex-servicemen after it completed a contract for ECHS smart cards. On 22 December 2019, twitter warned Indian users about data breach because of malicious code in its app. The vulnerability within twitter for android could allow the bad actor to see non-public account information or to control one’s account like sending tweets or direct messages. In addition to above, there have been data security breaches reported by many global giants in the past. To include all the data collecting agencies in a legal framework, the Ministry of Electronics and Information Technology had set up Srikrishna Committee in July 2017 to study issues related to data protection in India and to draft a comprehensive data protection bill. The objective of setting up this committee was to ensure the growth of the digital economy while keeping personal data of citizens secure and protected.
What is Personal Data Protection Bill
The PDP Bill defines a framework for all stakeholders with respect to handling, storage, processing, and accessing the personal data. The bill specifies that the quality of personal data after processing must be accurate by the data fiduciary (entity or individual who has the means and purpose of processing personal data), imposes a restriction on retention of data, and makes data fiduciary accountable for the implementation of the act once passed. The bill makes the consent of data principal (individual whose data is being processed) mandatory for processing of personal data. The bill defines grounds when the data can be processed without the consent of the individual like for the employment etc. The central government, as per the bill, will notify the categories of ‘sensitive personal data’ depending upon the risk of significant harm, the expectation of confidentiality, etc. As per the bill, data fiduciaries have been debarred from profiling, tracking, or behavioral monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. The bill specifies the rights of data principals including the right to confirmation, access, correction, erasure, data portability and right to be forgotten amongst others.
Restriction On Transfer of Sensitive and Critical Personal Data Outside India
As per the PDP Bill, the sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India. The critical personal data shall only be processed in India. The transfer of sensitive personal data and critical personal data outside India can be done only after the approval of the authorities. The central government can exempt any agency from the above-mentioned provisions depending upon its purpose like research, archiving, etc.
Need for Data Protection
‘Data – the new oil’, is recognised as an important digital asset in the 21st century that needs to be safeguarded. The need for personal data protection is not to just protect any person’s data but is also to protect the fundamental rights and freedom of persons that are related to that data. Loss of information can lead to direct financial losses, such as lost sales, fines, or monetary judgments. It could also jeopardise national security. Thus, PDP Bill will control the way information is handled and give legal rights to people who have information stored about them.
Data Privacy Laws in Other Countries
Data privacy laws have been enacted in more than 80 countries across the world. Data protection legislation in the United States empowers the US Federal Trade Commission to enforce federal privacy and data protection regulations. China’s road to data privacy bans multinationals from gathering data that is not relevant to their services, bans sharing identifiable data without consent, and requires companies to safeguard personal data. General Data Protection Regulation(GDPR), is the core of Europe’s digital privacy legislation. In January 2012, the European Commission set out plans for data protection reforms across the European Union in order to make Europe ‘fit for the digital age’. Almost four years later, an agreement was reached on what that involved and how it will be enforced which are now referred to as GDPR, a new set of rules designed to give EU citizens more control over their personal data. UK assembly has passed the Data Protection Act 2018 which substitutes the Data Protection Act of 1998.
The bill will give more teeth to the law implementing agencies when private companies are reluctant to share data for legal compliance. The bill will decrease the anonymity of users once social media companies implement user verification mechanism and hence prevent trolling, spread of fake news and sharing of misleading data. It provides subjects with non-negotiable rights, such as access and objection, even where consented to the processing of their personal data. For the data fiduciaries, it will amount to better business management and customer’s security.
Experts claim that the data protection lacks definitions, which makes it technologically neutral, and also more difficult to enforce. Data fiduciaries need to implement strict control over data access which will involve additional cost, specialised training, and define data protection procedures. Some argue that the data protection bill is indiscriminate as it applies to a small business or a club in the same way as it applies to a global conglomerate. Also, data networks are global, but data protection is local and hence difficult to implement and audit. As per the tech whiz, the misuse of data may still continue.
Establishment of Data Protection Authority of India
The Data Protection Bill mandates the central government to establish a Data Protection Authority of India to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection. Some of the functions of the authority will be monitoring and enforcing provisions of the act, taking prompt and appropriate action in response to the personal data breach, the examination of any data audit reports, classification of data fiduciaries, monitoring the cross-border transfer of personal data, specifying codes of practice, promoting awareness, monitoring technological developments and commercial practices that may affect the protection of personal data among others. An appellate tribunal will also be established under the provisions of the act to speedily dispose of the cases of arbitration.
The PDP Act is important because it provides guidance and best practices for organisations and the government to follow on how to use personal data including regulating the processing of personal data thereby protecting the rights of the data principal. With the rise of online platforms for social media and e-commerce, millennials need to be handed over a well-articulated Data Protection Act by Gen X. Once the PDP bill becomes an Act, by clicking ‘I agree’ next time while accessing websites, both data principals and data fiduciary will be under stronger terms of the user agreement, thus, safeguarding the individual and national interests. Finally, as the fifth estate(online) is expected to continue to rule the second decade of the 21st century also, the stronger laws for the protection of online data will help grow the digital economy faster and achieve the dollar five trillion economy goal for India.
- Meity.gov.in. 2020. [online] Available at: <https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf> [Accessed 6 Jan 2020].
- Digital Policy Portal. 2020. Beyond Intermediary Liability: Platform Responsibility For Harmful Speech In India – Digital Policy Portal. [online] Available at: <http://www.digitalpolicy.org/beyond-intermediary-liability-platform-responsibility-for-harmful-speech-in-india/> [Accessed 5 Jan 2020].
- News, I., 2020. Net Giants Can Store Your Non-Crucial Data Abroad | India News – Times Of India. [online] The Times of India. Available at: <https://timesofindia.indiatimes.com/india/net-giants-can-store-your-non-crucial-data-abroad/articleshow/72375299.cms> [Accessed 5 Jan 2020].
- TheCompanyWarehouse.Co.Uk. 2020. Advantages And Disadvantages Of Data Protection Registration – Thecompanywarehouse.Co.Uk. [online] Available at: <https://www.thecompanywarehouse.co.uk/blog/advantages-and-disadvantages-of-data-protection-registration> [Accessed 2 Jan 2020].