An Analysis of Personal Data Protection Bill, 2019
Written by: Ms Nikita Kumari
The Ministry of Electronics and Information Technology established a committee to look into all the issues related to Data Protection. The committee was named as Joint Parliamentary Committee and the committee was headed by former Supreme Court Justice B. N. Srikrishna. In July 2018, the committee submitted the draft for the Personal Data Bill, 2018 that was further got an approval on 4th December 2019 by the Cabinet Minister of India as Personal Data Protection Bill, 2019.
The Personal Data Protection Bill, 2019 was later introduced In Lock Sabha on 11th December 2019 by Shri Ram Shankar Prasad, Ministry of Law and Justice, Communication and Electronics and Information Technology. The main purpose of introducing this bill was to provide protection to the personal data of each and every individual and to create a framework and establish an authority to look into it.
This Bill was mainly based on the principles of Europe’s General Data Protection Regulation, 2016. This Bill was re-analyzed by the committee in consultation with experts and stakeholders in March 2020 and this time it was headed by a BJP MP, Meenakshi Lekhi. The Joint Parliamentary Committee finalized the draft law before the Budget Session of 2020.
Need for Data Protection
- Protection of privacy: Approximately more than 62 crores internet users are there in India whose personal data is shared online while using internet access. In August 2017, the Hon’ble Supreme Court declared that the right to privacy is a Fundamental Right followed by the right to life and personal liberty given under section 21 of the Indian Constitution, and it shall be the constitutional duty of the State to provide protection for each and every individual’s privacy. This statement was declared in the case of K.S. Puttaswamy & Anr. v. Union of India & Ors. Nowadays, the procedure and transmission of personal data of citizens are regulated by the Information Technology (IT) Rules, 2011, under the Information Technology Act, 2000.
- Check snooping or surveillance by various agencies: In the year 2019, Israeli software, Pegasus hacked the WhatsApp accounts of 121 Indian Citizens. The Facebook- Cambridge Analytical data Scandal of 2018, where personal data provided in Facebook profiles of millions of people were used without their consent or proper knowledge is given to regarding the same for the purpose of political advertising. In the year 2020 was the world suffering from the pandemic caused due to COVID 19, where the condition of businesses and the economy getting worse and worse there is a high risk of cybercrime to hack and breach of personal data. The world was adopted remote working for their organization and business to run their work and using digital tools for the same, it resulted in the proper technological adoption during the pandemic. There were many personal data breaches during this period. Such as-
Twitter Data Breach: – As per a source, there were more than 120 Twitter accounts were hacked.
Zoom Data Breach: – As per a report submitted by the Sunday Times, the login details of over 5 lakh users of the zoom app were found on the dark web.
Unacademy Data Breach: – The data of over 22 million people were hacked and put on the dark web for sale.
BigBasket Data Breach: – The login details of over 20 million users were exposed and found on the dark web.
And many more…
- Economic losses by cybercrimes: In India, as per the study of IBM, the average cost of data breaches is Rs. 12.8 crore, and stolen record reaching Rs. 5019 in 2018. Moreover, the data breach could cost the world around $600 billion in 2018. In the year 2020, the global cost for the data breach was more than 1 trillion dollars which resulted in double the total cost of a data breach in the year 2018.
- Increasing sophistication by cybercrimes: As per the study of IBM, in India, the root cause for 51% of data breaches was malicious or criminal attacks. Moreover, ransomware was the most common reason behind the increasing sophistication by cybersecurity trends from the past year as per the data provided by the Microsoft Digital Defense Report.
Key features of the Bill
- Personal Data and Processing: The Personal Data Protection Bill, 2018 applies to the processing of all personal data of people.Data that can be used to identify an individual. This Bill deals with various types of personal data:
- Sensitive Personal Data: Data related to finances, health, official identifiers, sex life, sexual orientation, biometric, genetics, transgender status, intersex status, caste or tribe, religious or political belief, affiliation. Anonymized data does not cover under this Bill.
- Critical Personal Data: Military or national security and it is up to the Central Government that determines what is to be considered as Critical Personal Data, and no other authority has the right to determine whether that data would come under the critical personal data or not.
- General Personal Data: Data other than sensitive personal data and critical personal data are cover under the head of general personal data.
The bill is applicable to both government and private entities all over India. In other words, the bill governs the processing of personal data by the government, companies incorporated in India, foreign companies dealing with the personal data of individuals in India.
Obligations of Data Fiduciary
The bill authorizes that unambiguous consent from the Data Principal must be taken regarding the data to be processed. Data Fiduciary is an entity or individual who accumulates and decides the means and purposes for which personal data is being collected or processed.
The obligations of Data Fiduciary are defined under Chapter II of the Personal Data Protection Bill, 2019:
- The personal data can be processed only for specific, clear, and lawful purposes.
- All Data Fiduciaries must commence certain transparency and accountability measures such as:
- Implement security safeguards like data encryption and prevent misuse of data,
- Institute grievance redressal mechanism for the complaint addressed by an individual.
Rights of Data Principal
The rights of the Data Principal are given under Chapter V of the Personal Data Protection Bill, 2019:
- Right to enquire the status of data processing,
- Right to ask the Data Fiduciary to transfer the data to another Data Fiduciary for certain purposes,
- Right to modification, and correction of data,
- Right to be forgotten which allows Data Principal to remove their personal data which are published online and give them the freedom to ask the Data Fiduciaries to delete any data which they don’t want in the public domain.
Grounds for processing personal data
If an individual gives consent then only Bill allows Data Fiduciaries to process the individual’s personal data.
Chapter III of the Personal Data Protection Bill, 2019 deals with the grounds for the processing of personal data without an individual’s consent:
- if required by the State for providing benefits to the individual,
- in legal proceedings,
- in response to a medical emergency.
Social Media platforms
Social Media platforms that connect people online with a certain threshold of users and having implications over democracy and the public order and have certain obligations such as providing a voluntary user verification mechanism for users in India. For example, Facebook, Twitter, etc.
Data Protection Authority
This Bill establishes a Data Protection Authority of India:
- To enforce the bill,
- To look into the implementation,
- Pass order on the data protection,
- To prevent the misuse of personal data.
It is compulsory for sensitive personal data to be stored in India, it can be transferred outside India only for the purpose of processing with the explicit consent of the Data Principal and subject to certain additional conditions. As notified by the Government of India, Critical Personal Data cannot be transferred outside India even for the purpose of processing.
Under section 35 of the Personal Data Protection Bill, 2019, the Central Government may exempt any of its agency from the provisions of the Bill:
- In the interest of the security of the state, public order, unity, integrity, and sovereignty of India and friendly relation with foreign states.
- Central Government if wants to prevent any crime related to the above subjects.
Other exemptions to the Bill:
- Investigation purposes,
- Journalistic purposes.
Sharing of non-personal data with Government
The Central Government may direct data fiduciaries to provide it with any:
- Non-personal data,
- Anonymized data (personal data which is modified so that individuals cannot be identified) for better targeting of services.
- In violation of the Bill, processing or transferring the personal data is to be punishable with a fine of Rs. 15 crores or 4 per cent of the annual turnover of the Data Fiduciary whichever is higher.
- Failure to conduct a data audit, punishable with a fine of Rs. 5 crores or 2 per cent of the annual turnover of the Data Fiduciary whichever is higher.
- Re-identification and processing of de-identified personal data by Data Fiduciary without the consent of Data Principal are to be punishable with imprisonment up to 3 years or fine or with both
Amendments to other laws
The Bill amends the Information and Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to personal data.
Loopholes in the Personal Data Protection Bill, 2019
- Central Government has uninterrupted power to define Critical Personal Data.
- Under this Bill, Data Principals have the right to be forgotten but how would they know that their information is deleted, it could be possible that Data Fiduciaries stored the information personally.
- Consent is not required in the case where State providing benefits to the individual but there could be a chance that an individual doesn’t need that benefit by the State like LPG.
- Members of the Data Protection Authority are to be selected by government dominated panel so in this there are more chances that members are closed to the government and this could reduce the transparency of Data Protection Authority, India.
- There is blanket power to the Central Government as Central Government may exempt any of its agency from the provisions of the bill. This could amount to surveillance.
In India for the protection of the data, a powerful law is the need of the hour. The Bill tries to provide safeguards for the protection of the privacy of individuals with respect to their personal data. The Bill recommends surpassing the Information Technology Act, 2000 (Section 43-A) removing the provisions linked to compensation payable by companies for failure to protect the personal data of individuals.
The Personal Data Protection Bill recommends the way in which personal data is to be collected, handled, used, revealed, stowed, and shifted. This Bill recommends protecting Personal Data. The protection provided under the bill is related to the identity such as Aadhaar numbers and other forms of statutory identification, characteristics trait, an attribute of a natural person, and Sensitive Personal Data such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.