All About the Personal Data Protection Bill and Right to Privacy
________________________________________________________________________________
This Blog is written by Tanvi Sanjay Rane from Dr. D.Y. Patil College of Law, Maharashtra. Edited by Karan Dutt.
________________________________________________________________________________
INTRODUCTION
Privacy literally means the quality of being secluded from the presence or view of others or the condition of being concealed or hidden. It entails the quality or state of being apart from company or observation. It is the freedom from unaccredited invasion. It is an important aspect of human dignity and is inseparable from a dignified human existence. It has thus been recognised as a fundamental human right in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. It is also a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Indian Constitution. It is recognised by the Constitution as inhering in each individual as an intrinsic and inseparable part of the human element which dwells within.
With the advent of technology, privacy in recent years has garnered a lot of attention. For years since we have been on internet, we have been giving bits of information about ourselves to anyone who would ask. We give information about us and our friends to Facebook quizzes hosted by third party apps; told Amazon delivery exactly where we live and where we work; gave services like Cult fitness our health data and even our biometrics. All the while hoping that their privacy policy, the thing that we consented to without reading it, would keep and use this data responsibly. This data free for all comes to an end with the Data Protection Bill. When this bill becomes a law, Indians who make up a second largest population of internet users after China will finally have more control over our data. Who uses it and how much!
We live in an age where we are the sum of the data that we generate. Therefore, how our data is collected, stored, shared and used; directly affects our daily lives. In times when data intercedes our relationship with the government as well as private companies, the existence of a strong legislation is essential to ensure that the state acts as a model data controller which ensures both, data security and more importantly respects citizens privacy. As the bill has made its way to the parliament, it is important to analyse the bill with its pros and cons; along with understanding what the state thinks of privacy as a fundamental right and how it treats data in today’s digital economy.
RIGHT TO PRIVACY AS A FUNDAMENTAL RIGHT
Although right to privacy has been recognised in many cases, the breakthrough in privacy law was in the landmark judgement of Justice K. S. Puttaswamy v. Union of India by the Supreme Court of India, which held that the right to privacy is protected as a fundamental right under articles 14,19 and 21 of the Constitution of India. It is important to understand right to privacy with respect to this case.
In this case, the Aadhaar Card Scheme of the Government of India, under which the Government of India was collecting and compiling both the demographic and biometric data of the residents of the country to be used for various purposes, was attacked on various counts including the violation of right to privacy. The Court by an interim order directed the Union of India to give wide publicity in the electronic and print media including radio and television networks that it was not mandatory for a citizen to obtain an Aadhaar Card and the production of an Aadhaar Card not to be a condition for obtaining any benefit otherwise due to a citizen. Besides, the Unique Identification Number or the Aadhaar Card would not be used by the respondents for any purpose other than PDS scheme and in particular for the purpose of distribution of food grains, etc., and cooking fuel, such as kerosene and LPG distribution scheme.
Thereafter, the Supreme Court, by a Bench of nine Judge overruled M. P. Sharma v. Satish Chandra, which had held the right to privacy not protected by the Constitution. It also overruled Kharak Singh v. State of U.P., to the extent it had held right to privacy not protected by the Constitution. Justice Dr. D. Y. Chandrachud held – “Privacy is concomitant of right of an individual to exercise control over his or her personality. It finds an origin in the notion that there are certain rights which are natural to or inherent in human being. Natural rights are inalienable because they are inseparable from human personality.”
The Court has concluded following with respect to privacy:
• Privacy is the constitutional core of human dignity. Privacy has both a normative and descriptive function. At a normative level, privacy sub-serves those eternal values upon which the guarantees of life, liberty and freedom are founded. At a descriptive level, privacy postulates a bundle of entitlements and interests which lie at the foundation of ordered liberty.
• Privacy includes at its core the preservation personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy. Privacy protects heterogeneity and recognises the plurality and diversity of our culture. While the legitimate expectation of privacy may vary from the intimate zone to the private zone and from the private to public arenas, it is important to underscore that privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being.
• Like other rights which form part of the fundamental freedoms protected by Part III, including the right to life and personal liberty under Article 21, privacy is not an absolute right. A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights. In the context of Article 21, an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The law must also be valid with reference to the encroachment of life and personal liberty under Article 21. An invasion of life or personal liberty must meet the three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of legitimate State aim; and (iii) proportionality which ensures a rational nexus between the object and the means adopted to achieve them.
• Privacy has both positive and negative content. The negative content restrains the State from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the state to take all necessary measures to protect the privacy of the individual.
PRELIMINARY
The Ministry of Electronics and Information Technology set up a committee to study issues related to data protection in July 2017. Retired Supreme Court Judge Justice B. N. Srikrishna presided over this committee. A year later the draft Personal Data Protection Bill, 2018 was submitted by the committee in July, 2018. The Personal Data Protection Bill 2019 was introduced in the Indian Parliament by the Ministry of Electronics and Information Technology on 11 December 2019. As of March 2020, the Bill is being analysed by a Joint Parliamentary Committee in consultation with experts and stakeholders. Meenakshi Lekhi, heads the joint parliamentary committee set up in December 2019.
The bill aims to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.
STATUTORY PROVISIONS/KEY HIGHLIGHTS OF THE PROPOSED LAW
• The law will have jurisdiction over the personal data that is used, shared, disclosed, collected or otherwise processed in India.
• The law will not have retrospective application and will come into force in a structured and phased manner.
• It will cover personal data used by companies incorporated under Indian law, irrespective of the data being processed in India or not.
• The law will cover processing of personal data by both public and private entities.
• Sensitive personal data will include passwords, financial data, health data, sex life, sexual orientation, biometric and generic data.
• Such data also covers information that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
• A regulator – Data Protection Authority of India (DPA) – will be set up for the effective implementation and enforcement of the law.
• The new regulator will have a chairperson and six whole-time members.
• For consent from individuals to be valid, it should be free, informed, specific, clear and capable of being withdrawn.
• For sensitive personal data, consent will have to be explicit.
• Individuals will have the right to access their personal data with entities, make corrections to it, and also restrict its usage.
• Penalties may be imposed for violating the data protection law.
• Any person below the age of eighteen years will be considered a child under the law.
• Entities processing data of the children will have to develop appropriate mechanism for age verification and get parental consent.
• Data collecting entities will be responsible for data quality and storage limitation. However, accuracy of personal data is the responsibility of the individual.
• The committee has identified 50 statues and regulations, which potentially overlap with the data protection framework.
• The Aadhar Act, needs to be amended to bolster data protection, and the committee has suggested amendments to the act.
• Some features of the proposed law can be understood with the help of the following table –
What it means for consumers |
|||||
Data can be shared or processed by any entity only after consent. | Safeguards, including penalties, introduced to prevent misuse of personal data. | All data to be categorized under three heads – general, sensitive and critical. | |||
The Government and Regulatory Roles |
|||||
Government will have power to obtain any user’s non-personal data from companies. | The bill mandates that all financial and critical data has to be stored in India. | Sensitive data has to be stored in India but can be processed outside with consent. | |||
What Companies Have to Do |
|||||
Social media firms to formulate a voluntary verification process for users. | Sharing data without consent will entail a fine of Rs. 15 crore or 4% of global turnover. | Data breach or inaction will entail a fine of Rs. 5 crore or 2% of global turnover. | |||
• Centre can exempt agency of the state from provisions of the law.
• Certain provisions will not apply to government if personal data is processed in interests of prevention, detection, investigation and prosecution of any offence, and is necessary for enforcing a legal right or used for a judicial function by a court.
• The government can exempt certain data processors from application of the law.
• Data Fiduciary – According to the bill, a data fiduciary can be an individual, organisation, state or entity that chooses how their data should be processed, handled and stored. By calling an organisation a data fiduciary, the bill implies that our relationship with it has an element of trust in it that goes beyond transaction. For example, if we give our data to Facebook, as a fiduciary it is obligated to use it in a trustworthy manner. How data flows are that it collected, it is processed and it is stored. Even if data is collected of Indians by Facebook, it could be stored in a physical location overseas. Hence, there is a concept in the bill known as “data localisation” that insists, certain data taken from us Indians to be stored within the borders of India itself. They call this Data Localisation.
PROS AND CONS OF THE BILL
Pros
The Data Protection Bill would restrict the potential of international tech giants to manipulate user data, could possibly secure Indian users from data breaches. It would lead to greater local activity by Indian tech companies, generating more employment in the country.
A need for sophisticated infrastructure created by the provisions of the bill makes way for the possibility of the Indian Government to come up with the right kind of infrastructure.
The bill checks the instances of cyber attacks and the spread of fake news. It gives a number of rights to the individuals which makes them well aware of the nature and purpose of the data collected.
Data localisation will make it easy to give access to data for investigative purpose.
Cons
Although the bill empowers the citizens with certain rights it has certain drawbacks. It fails to empower citizens at an individual level. It lacks to address or grant individual rights and agency to data owners.
While the bill precludes international giants from exploiting consumer data, it also transfers this ability into the hands of the Indian Government. The government is empowered to access the personal data under wide reasons including national security, sovereignty, integrity etc. This will eventually lead the government to intrude in the lives of the citizens defeating the purpose of the bill.
The bill also puts the government over a competitive advantage over international tech giants and, thus, does nothing to put an end to the commercialization of user data.
While the draft bill says that consent would be at centre for processing our personal data, it provides exemptions for the government. The government can process even sensitive personal data without consent for functions of the state. A sweeping and broad power that could be prone to misuse.
CONCLUSION
Technological change has given rise to concerns which were not present seven decades ago and the rapid growth of technology may render obsolescent many notions of the present. Hence, the laws must be resilient and flexible to allow future generations to adapt its content bearing in mind its basic or essential features. As there is an obligation on the state to protect the privacy of its citizens it must ensure that this obligation is fulfilled. As some provisions of the bill are contrary to this obligation, the state must endeavour to correct them before the bill gets complete sanction. There is a need to restructure the objectives of the bill, making it safe for the citizens and ensuring their trust in the government. A robust data protection law is the need of the hour so due importance should be given in implementing a secure law without any infirmities.
REFERENCES
(1) The Personal Data Protection Bill, 2019.
(2) Constitutional Law of India, Dr J. N. Pandey.
(3) Justice K. S. Puttaswamy v. Union of India, AIR 2017 SC 4161.
(4) P. Sharma v. Satish Chandra, AIR 1954 SC 300.
(5) Kharak Singh v. State of U.P., AIR 1963 SC 1295.