“A well designed data governance program provides the right ownership and accountability model to get to the root cause and resolution of data issues.”– Allison Sagraves (Chief Data Officer, M&T Bank)
Data is the driving force of today’s world. With its extreme dynamics, data retrieval is pushed into every possible corner. Personal Data (PD) is anything specific to an individual. This is information which works as identifying factors of a person; such as name, birth date, nationality, location, email addresses, phone numbers and even transactional information such as credit card numbers.
Many companies (e.g. social media) will collect PD to provide users with personalized suggestions to keep them engaged. Often it is aggregated (to depersonalize it) and sold for advertising and research purposes. However, this has become an issue of privacy and protection of vulnerable individuals.
This led to concerns regarding the protection of this data. Regulations guarantee the security of individuals’ data and regulate it’s the collection, usage, transfer, and disclosure. Various countries have laws securing data protection in place. Many other are also on the pathway to put such in place.
The Apex Court has also stated privacy as a fundamental right in the case of K.S Puttaswamy (Retd) & Anr Vs Union of India and Ors.
Personal Data Protection Bill, 2018:
In 2017, the Ministry of Electronics and Information Technology (MEITY) constituted a committee Experts to deliberate on a data protection framework for India. This committee, headed by ex-SC judge Justice BN Srikrishna was constituted to identify key data protection issues in India and recommend methods of addressing them. The Government of India needed to ensure the growth of the digital economy while keeping personal data of citizens secure and protected.
The committee submitted the Personal Data Protection Bill in 2018. After further deliberations, it was approved by the cabinet in December 2019 and tabled in Lok Sabha in the same month.
The bill seeks to take place of the current IT Act and its rules. It focuses on the manner in which PD is to be collected, processed, used, disclosed, stored and transferred. It talks about protecting “Personal Data” such as identity, characteristics, and attributes of individuals and “Sensitive Personal Data” such as financial, health, sexual data, biometric, genetic, LGBTQ aspects, caste or tribe, religious or political beliefs.
- In what cases it applicable:
- PD collected and processed in the territory of India
- PD collected by any organ of the State (May it be government or PSUs), any Indian Citizen or any Company incorporated under the Indian Law.
- It also extends to those data fiduciaries/ processors not operating from India; whether their business is to offer goods/ Services to Indian users or whose activities involve the profiling of Indian users.
These provisions are not to apply to anonymized data, meaning such data that has identifying particulars/details removed.
- Obligations of Fiduciaries:
The Bill defines data fiduciary as any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of PD .
- Prohibiting processing:
Data can be processed only for specific, clear and lawful purposes.
- Limitations on the purpose of processing of data:
Fiduciaries are to process such PD in a fair and reasonable manner ensuring the privacy of users. Data is only to be used for the purpose consented to by the users or for matters incidental or connected with the purpose, (to which the user would reasonably expect the data to be used).
The personal data is also to be collected only to the extent that is necessary for the purposes of processing of such data.
- Notice for collection or processing:
Every fiduciary is to give a notice, stating the purposes of collection and processing of PD; by who it was being collected (details of fiduciary); the right of user to withdraw their consent; basis for processing, and the consequences of the failure to provide the PD; sources of such collection (where data is shared from one fiduciary to other); any information regarding any cross-border transfers of PD that is intended to carry out; and the retaining period of such collected data.
[An example of this is websites showing the use of “cookies” for users to accept or deny. This came because of the European Union’s General Data Protection Regulation (GDPR) passed in 2018].
- Quality of PD processed :
Join LAW TREND WhatsAPP Group for Legal News Updates-Click to Join
The fiduciaries are to take necessary steps so that the data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.
- Restriction on retention:
The data fiduciary is not to retain any PD beyond the period necessary, to satisfy the purpose for processing. They are to also delete the said data at the end of the processing.
- Consent Withdrawal:
The bill empowers users from withdrawing their consent from the fiduciaries acquiring their information at any point. On such withdrawal, it is obligatory on the part of the fiduciary to remove such information from their collection.
- Transfer of PD outside India
- Allowance of PD to be processed and stored outside India
- Sensitive PD is such that is to be stored in India and can be transferred externally for processing, only if it is explicitly consented by the user on additional conditions such as:
a. Transfers can be only done after a contract or intra-group scheme approved by the Data Protection Authority of India, proposed to be set up by the bill.
b. The Central Government in consultation with the Authority, allows the transfer of PD to a country or, an entity in a country or, an international organization on certain basis like: the PD is protected adequately in accordance to applicable laws and international agreements; and the transfer would not affect the enforcement of laws in appropriate jurisdictions.
c. Critical PD can only be processed and stored in India with a few exceptions such as for health services or emergency services where such transfer is necessary for prompt action. In such cases, these transfers are to be notified to the Authority.
The bill empowers the central government to exempt any of its agencies from the provisions of the Act if they are acting in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states; for preventing incitement to commission of any cognizable offence relating to the above matters. Processing of PD is also exempted from provisions of the Bill for other purposes such as prevention, investigation, prosecution of any offence, or personal, domestic, journalistic purposes.
- Offences under the Bill:
The bill also provides for offences in breach of provisions under it. These include offences such as:
- Any person who, knowingly or intentionally re-identifies PD which has been anonymized by a fiduciary or a processor or re-identifies and processes such PD without the consent of the fiduciary or processor, then can be punished with imprisonment for three years or less or with a fine which may extend to two lakh rupees.
- Companies are responsible for the conduct of individuals under them and thus are deemed to be guilty of the offence and liable for its actions.
- Even in offences committed by the State, the head of such department or authority is deemed to be guilty of the offence and shall be liable for its actions.
The WhatsApp Privacy concern as mentioned above made the EU immune to its policy changes. This was due to the General Data Protection Regulation which is a very important regulation, standing as a strong international example for other nations. This regulation was passed in 2018 and regulates companies to protect citizen’s personal data. Companies that fail to comply face severe fines and penalties.
Some important provisions include right to erasure, wherein subjects may direct the controller to completely erase their personal data under certain circumstances. It requires companies to place pertinent policies to protect the citizens’ data. Further, the provisions against data breach are strict and time-bound. This means that not only will the breaches be detected quicker; they will be dealt with faster. This places citizens’ right to privacy at the highest.
The PDP Committee had also asked for comments and evaluation on the draft. The overall bill aims at a much better PD protection for Indian users. Once passed, it will make huge companies answerable at their lapses. The bill has been in works for over five years, and is now due towards its job for the citizens. The push of the Covid-19 Pandemic towards greater digitalization has made it even urgent for such a protection bill.
The passing of the bill will be exceptional for developing India and its new global citizens.
Rajat Rajan Singh
Advocate at Allahabad High Court Lucknow
and Editor-in-Chief at Law Trend