Where to use it?

Governance | Mains Paper 2: Laws, Institutions & Bodies Constituted For The Vulnerable Sections

Prelims level: Data Protection Bill, RIGHT TO PRIVACY

Mains level: Issues with Personal Data Protection Bill, RIGHT TO PRIVACY

Why in news?

The government has withdrawn the Personal Data Protection Bill from Parliament after various amendments were offered by the Joint-Parliamentary Committee.

What is Personal Data?

  • Data can be extensively categorised into two types: personal and non-personal data.
  • Personal data pertains to features, traits or attributes of identity, which can be utilised to identify an individual.
  • Non-personal data includes aggregated data through which individuals cannot be recognised.
  • For instance, while an individual’s own spot would constitute personal data; information derived from multiple drivers’ locations, which is often used to analyse traffic flow, is non-personal data.

What is Data Protection?

Data protection directs to policies and procedures aiming to minimise intrusion into the privacy of an individual driven by the collection and usage of their personal data.

Why was a bill brought for Personal Data Protection?

  • The Supreme Court held that Privacy is a fundamental right under Article 21 of the Constitution.
  • The Court also heeded that the privacy of personal data and facts is a crucial aspect of the right to privacy.
  • A Committee of Experts, chaired by Justice BN Srikrishna, was set up to discuss diverse issues related to data protection in India.
  • The committee advanced its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.

What does the Personal Data Protection Bill seek to provide?

  • Collection and storage: The bill controls personal data related to individuals, and the processing, collection and storage of such data.
  • Data Principal: Under the bill, a data principal is a person whose personal data is being processed.
  • Data fiduciary: The individual who determines the means and purposes of data processing is known as data fiduciary.
  • Data processing: The Bill manages the processing of personal data by both government and enterprises integrated in India.
  • Data localization: It also controls foreign companies, if they deal with the private data of individuals in India.
  • General consent: The Bill delivers the data principal with certain rights with respect to their personal data. Any processing of personal data can be accomplished only on the basis of permission given by the data principal.
  • Data Protection Authority: To assure adherence with the provisions of the Bill, and provide for further regulations with respect to the processing of personal data of individuals, the Bill sets up a DPA.

Issues with the PDP Bill

  • Exemptions to the govt: Section 35 of the bill enables the Central Government to exempt any agent of the Government from the provisions of the law.
  • No reasonable exemptions: There is no adequate explanation for government agencies to be exempted from basic provisions of the Bill.
  • Easy breach: This would be subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government.
  • Executive hegemony: There is no scope for oversight over the executive’s decision to issue such an order.
  • Arbitrary and intrusive: As indicated by the Pegasus case, the existing frameworks for protecting citizens from random and intrusive State activity lack robustness.

Issues with Exemption to State

  • Grounds of expediency: the use of this provision on foundations of expediency is an incredibly low bar for the Government to encounter.
  • No requirement for exemption order: There is no necessity for an exemption order to be proportional to meeting a certain State function.
  • No oversight on executive actions: There is no capacity for oversight over the executive’s judgement to administer such order or any securities prescribed for this process.
  • State surveillance: Section 36(a) of the Bill delivers for an exception where personal data is being processed against the criminal inquiry. This provision could thus facilitate vigilantism or allow privatized surveillance.

Best practices followed across the world

  • The European GDPR (General Data Protection Regulation) is generally witnessed as the standard of data protection regulation worldwide.
  • The EU regulation has in place a distinct law that negotiates the processing of personal data by law enforcement agencies.
  • UK’s Data Protection Act dedicates Part 3 that liberalises certain responsibilities while at the same time guaranteeing that data protection rights are also covered.

Way forward

  • Balancing privacy claims with those of public demands(such as that of State security) is a challenging job.
  • This should experience rigid consultations in Parliament taking into confidence all stakeholders.
  • Once discussed in Parliament, one can only expect that sufficient time and attention is given to locating a better balance between contending claims.