Context:Justice B N Srikrishna who headed the committee that drafted the original Personal Data Protection Bill,2018 has criticised the new bill on the grounds that it gives extra powers and legal exceptions given to the government, potentially leading to an *“Orwellian State”.
*"Orwellian" is an adjective describing a situation, idea, or societal condition that George Orwell identified as being destructive to the welfare of a free and open society.
Current status of The Personal Data Protection Bill, 2019
It has been cleared by the Cabinet recently, and was referred to a 30-member committee set up for the specific purpose of deliberating on it.
Image Source: Economic Times
The Personal Data Protection Bill, 2019
Ministry: Law and Justice
The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.
- Applicability: The Bill governs the processing of personal data by:
(ii)Companies incorporated in India, and
(iii)Foreign companies dealing with personal data of individuals in India.
Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs,etc.
- Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purposes.
- Rights of the individual: The Bill sets out certain rights of the individual (or data principal). These include the right to:
(i) obtain confirmation from the fiduciary on whether their personal data has been processed,
(ii) seek correction of inaccurate, incomplete, or out-of-date personal data,
(iii) have personal data transferred to any other data fiduciary in certain circumstances, and
(iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data: These include:
(i) if required by the State for providing benefits to the individual,
(ii) legal proceedings,
(iii) to respond to a medical emergency.
- Social media intermediaries: The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information.
- Data Protection Authority: The Bill sets up a Data Protection Authority which may:
(i) take steps to protect interests of individuals,
(ii) prevent misuse of personal data, and
(iii) ensure compliance with the Bill.
Composition: It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.
Appeals: Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
- Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions.
- Exemptions: The central government can exempt any of its agencies from the provisions of the Act:
(i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and
(ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters.
- Offences: Offences under the Bill include:
(i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and
(ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.
- Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any:
(i) non-personal data and
(ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
- Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Criticisms made by Justice B N Srikrishna
- Watering down data localisation requirements:
- Due to lobbying by foreign companies the provision has been diluted.
- Diluted provisions requiring foreign fiduciaries from locating and processing data within the territory of India.
- Perceived increase in power to government and industry will be threatening the delicate balancing act between three stakeholders of data protection.
- The personal data mirroring requirement:
- Earlier draft required entities to store a copy of all personal data, even non-sensitive and non-critical data, in India. On the other hand, a new version of the Bill removed the mirroring requirement of personal data and allowed sensitive data to be stored abroad with government approval.
- It was provided in the earlier draft with the objective that, if there be necessity for accessing such data at short notice, it would be impossible to follow the MLAT process to get it as that would take at least 18/24 months.
JV’s Prelims Snippets
About The Mutual Legal Assistance Treaty (MLAT)
- It is the extensive process that Indian authorities have to follow in order to receive information from an American company for law enforcement purposes.
- Even American industry associations have recognised the need to adapt the mechanism for the speed of digital technologies.
- Exemptions made for government surveillance which may dominate the Data Protection Authority.
- These exemptions are a violation of the right to privacy and the potential introduction of an “Orwellian State”.
- Government’s power in notifying social media intermediaries as “signified data fiduciaries has also been criticised.
- Right to call in all non-critical personal data held by any entity, this could legally and democratically enable pervasive state surveillance.
- Shifting of power from data protection authority to central government:
- The new Bill shifts many powers from the Data Protection Authority to the central government, such as determining the definition of sensitive personal data.
- New bill also removes the original draft’s independent committee that appoints DPA members, giving government officers appointment powers instead.
- The government has arrogated to itself the right to define the nature of critical private data and the constitution of the proposed Data Protection Authority.
- In the draft made of justice Srikrishna the members of data protection authority were to be appointed by an independent committee.
- Power of the government to direct any entity to provide all their non personal data: A vague and generalized declaration will provide a carte blanche to access non-personal data from citizens and business entities.
About Data Localisation
It is the practice of storing data on any device that is physically present within the borders of the country where the data is generated
Benefits of data localisation
- Help in Maintenance of law and order
- Public order related incidents such as lynching across the country which are linked to WhatsApp rumours and fake news can be dealt with due to proper surveillance.
- Better implementation of social programs due to proper statistics collection.
- Security against foreign attacks and surveillance
- It is considered necessary due to the slow and outdated processes of the Mutual Legal Assistance Treaty(MLAT).
How will it impact India?
- Data localisation will not automatically lead to data sharing as there is no law in the country that allows government entities “unfettered” access to “all data” even if it is located in the country
- Even if data is stored in the country the encryption keys still remain out of reach of national agencies
- May backfire on India's own startups that are attempting global growth
The pathways of data sharing must be embedded in policy before data localisation is proposed as a solution.