This article has been written by Gairik Sanyal. It has been edited by Ojuswi (Associate, LawSikho).
It has been published by Rachit Garg.
Developed countries of the west have come up with impressive data protection regimes in the wake of an unprecedented surge in public data collection by giant media owner corporations and states alike. Considered the strictest among them is the GDPR regime of the EU.
The Government of India, feeling the need for a robust data protection code in India at the backdrop of high profile data leak events and the Supreme Court’s exhortation for such a law appointed a committee under the chairmanship of Retired Justice B.N. Srikrishna to draft a Personal Data Protection Bill that will “ensure the growth of the digital economy while keeping personal data of citizens secure and protected.” This Committee came up with the Personal Data Protection Bill of 2019.
Subsequently, it was sent to a Joint Parliamentary Committee for improvement and fine-tuning. On the 16th of December 2021, the Joint Parliamentary Committee chaired by Mr P.P. Chaudary tabled its recommendations before both houses of the parliament. This article attempts to analyse and take a wholesome view of all aspects of data protection including a detailed dissection of the recommendations of the JPC and a comparison with western models of data protection regimes. Protection of data is the protection of privacy: pondering the need for data protection
The world is going through an unprecedented phase of internet activity thanks to social media giants like Google, Facebook, Twitter, Amazon etc. All of these media giants collect data from their users which could be classified as personal or sensitive. Eg. Facial profile, phone number, consumer preference patterns like what one likes to eat, wear etc. These are data susceptible to breaches and misuse. In fact, such breaches are more common than an average user may imagine. India has ranked third in global data breach charts with over 88 million users falling prey to such misuse according to a Netherlands based VPN company, Surfshark. Important public companies like Air India and MacDonald India have reported serious data leaks in the year 2021.
These leaked data could be put to a plethora of use. From an innocuous use like gauging consumer preference in an area of production to much more malicious use like phishing or banking fraud, data could be used for a whole spectrum of purposes. Most fundamentally, a data leak event compromises a user’s autonomy over his personal data and his right to give or withhold consent to sharing such information about himself as he wishes. The Supreme Court of India, in the watershed judgement of Justice K.S. Puttaswamy v. The Union of India held that the right to privacy is a fundamental right under Articles 14, 19 and 21 of the Indian Constitution. This has created the space and necessity for a robust data protection regime more than ever before.
Western models of data protection regime compared: EU vs USA
The European Union and The United States of America have adopted diametrically opposite approaches to data protection. Indian Government’s stated policy objective is to utilise the best of both approaches to make the Indian code more effective in real world situations. The EU has adopted a citizens’ right-centric approach while the US has a protection of liberty (from state intrusion) approach towards data protection.
i. The EU
Articles 7 and 8 of the European Union Charter give constitutional status to ‘Privacy’ and ‘Data Protection’ respectively. The first time the European Union tried to adopt a coherent policy on data protection was in 2014 when they adopted the ‘Data Protection’ directive. Being only a directive, it was not binding on any of the member countries of the EU. It acted only as a policy guide for similar levels of data protection across nationalities. This directive was heavily influenced by the OECD guidelines on the issue. In 2016, The EU parliament came up with the GDPR (General Data Protection Regulation) and has given member countries two years to align their domestic laws with it. This was immediately binding on all the member states because it was in the nature of regulation.
The EU model of data protection considers the idea of an individual’s right to control over his personal data as paramount and extends even beyond giving consent for the collection of such data. The EU GDPR gives an individual the right of control over his data not only to the extent of giving informed consent for its use but extends his right to rectify, change, object to a certain use, erasure etc. post collection of such data with valid consent.
Furthermore, certain data like ethnic origin, political opinions, membership of trade unions, religious beliefs, sexual preferences etc are categorised as ‘sensitive data’. This type of data cannot be collected at all except under very limited exemptions like medical research. It applies to the state and private entities alike. It is for these reasons that the EU GDPR is considered the most stringent model of data protection laws available on the planet.
ii. The US
The US lacks an express constitutional commitment to individual privacy, unlike the European Union. However, the courts in the US have pieced together the first, fourth, fifth and fourteenth amendment to give the interpretation that the right to privacy is an inviolable right of every US citizen. The fourth amendment, which talks about ‘unreasonable searches and seizures,z is really the key building block of the edifice of this interpretation.
Be that as it may, the US applies differential standards of data protection for government and private entities. Data processing by state agencies is regulated by overarching and sweeping legislation like the Privacy Act of 1974 and the Financial Privacy Act of 1978. These legislations are seen as the bulwark of individual privacy from government transgression. However, when it comes to the private sector, there is no such sweeping legislation; rather sector-specific legislation like The Federal Trade Commission Act (FTC) or Children’s Online Privacy Protection Act ( COPPA) take its place. The quintessential feature of these legislations seems to be a policy of ‘notice and consent’.
|EU GDPR||US Model|
|There is Constitutional protection for the right to privacy and data protection in Articles 7 and 8 of the EU Constitution.||There is no constitutional guarantee for privacy. However, judicial interpretation has ensured that privacy is a cherished right.|
|Uses one omnibus law to protect data privacy for both public and private entities.||Uses sector-specific legislation to protect user data in those specific sectors. Eg. FTC, COPPA|
|Known for their stringent provisions and harsh penalties.||Known to be lenient with private companies and very strict with state interventions.|
|Reflects an ideology of individual freedom being sacrosanct. The individual wields control over his data post giving consent as well. He retains the right of withdrawal of consent, deletion of data etc.||Reflects the idea of ‘laissez faire’. The government is vigilantly kept out of the personal sphere of a private individual. Whereas, the corporates are asked to follow only a policy of ‘notice and consent’. The data owner retains no right post giving his consent for data processing.|
Standard of Consent
The standard of consent required in the EU is defined in Article 7 and specified under recital 32 of the GDPR. Consent must be free, specific, informed and unambiguous.
- Free consent means that there must not be any undue pressure or influence bearing on the consent given. For example, in an employer-employee situation, the employee might fear retribution for declining consent. Here it will be incumbent on the data controller to raise the standard of consent by eliminating undue influence so that it could be considered free consent.
- Informed and specific consent implies that the data subject must be informed of who the data controller is, and what kind of functions he intends to put the data to use (to avoid function creep).
- Finally, the consent must also be unambiguous. It means that the consent must be an affirmative action by the data subject and not passive acquiescence. Consent cannot be presumed and must always be actively sought and given for it to be an unambiguous consent.
Existing laws on data protection in India
Currently, India lacks an omnibus law on data protection like the one in The European Union – GDPR (General Data Protection Regulation 2016). A Personal Data Protection Bill was tabled on the floor of the parliament in 2019. It was eventually sent for recommendation to a Joint Parliamentary Committee (JPC). The JPC came up with its proposed recommendation, including changing the name of the bill to ‘Data Protection Bill’ instead of ‘Personal Data Protection Bill’ to make it more general and wide in its application, in December 2021.
However, this bill is yet to be passed by the parliament. In the absence of any such comprehensive data protection code, its role is being played by our good old Information Technology Act of 2000. S. 43A of the Information Technology Act reads as under: “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”
In 2011, the government also notified the ‘Reasonable Security Practices and Procedures and Sensitive Personal Data Information Rules’ commonly called the SPDI rules under this section of the IT Act. Hence, S.43A along with the SPDI Rules 2011 is the ad hoc arrangement regulating data protection in India until the arrival of the proposed Data Protection Act.
Salient features of the Indian Data Protection Bill 2021
The Data Protection bill 2021 has increased the applicability of the bill from only ‘personal data’ to including ‘non-personal data’ as well. Sensitive non-personal data includes all data that have gone through a process of anonymisation. Anonymisation can be defined as an irreversible process of conversion or transformation of data to a form in which the data principal cannot be identified (based on the laws of the irreversibility of the Data Protection Authority).
- A separate group of ‘sensitive personal data’ has been recognised in the bill. A higher threshold of consent has been applied to this category of data. This category includes information on the health, sexuality, political beliefs, and financial activity of a person.
- The Data Protection bill will apply both to state agencies and private entities. It will even apply to companies who are offering goods and services to residents in India with offices located abroad.
- The bill also envisages a Data Protection Authority and a Data Protection Officer (S. 30) who will be saddled with the responsibility of monitoring and regulating the functioning of the ‘data fiduciaries’ under the act and also address grievances of the data principal.
- The Data Fiduciary will be obliged to inform the Data Principal regarding the likely nature of the use of his data, the rights of the Data Principal and also the process of grievance redressal.
- Social Media companies which are not mere intermediaries of information i.e., those which have the right to alter or remove content posted on their website (like Facebook and Twitter) may come under the definition of publishers under S.26 of the Data Protection Bill.
- S. 25 of the bill mandates a timeline of 72 hours for reporting any data breach by any data fiduciary. The 72 hours will be calculated from the time at which such a breach was noticed by the Data Fiduciary.
An attempt at balancing the interests of the Data fiduciary as well as the Data Principal
The bill tries to tread the tightrope balancing the interests of both the Data Fiduciary as well as the Data Principal. On one hand, S. 25 sets a time limit of 72 hours for reporting any data breach thus warning companies against indefinite delays in reporting as seen in the past, on the other hand, clauses 13 and 14 allow companies to process non-sensitive personal data of employees without consent where there is a “reasonable purpose” or if it is “necessary” or if it can be “reasonably expected” in the normal course of action.
Criticism of the bill
Many of the committee members have written a dissent note mainly due to the insertion of S. 35 into the act. This section allows exemption to any government agency from the rigours of the act by an order by the Data Protection Authority. The fear is that government agencies like the UIDAI which collects public biometrics and other data can now use this section to evade accountability or even judicial scrutiny. To allay some of these fears, the bill has included the words “reasonable, just, fair and proportionate” as a qualifier to any such exemption order. This will keep it open for judicial interpretation on a case by case basis. Moreover, s 42 also provides for a robust Data Protection Authority with provisions meant to ensure its independence and impartiality. This too will act as an effective check against any arbitrary use of the exemption provision.
The Data Protection Bill of 2022 is a much-awaited legislation and a step in the right direction as well. The bill shows that we are clearly in favour of the umbrella law model of the EU. This entails its own advantages and disadvantages. While most developed countries like Singapore and Canada too have chosen the omnibus law model of the EU, it may not prove to be the best idea for India. Unlike these countries, India has an astounding litigation pendency rate.
Such a law will only add to the already colossal case burden of our courts. Divergent interpretations of provisions in the statute by various High Courts could also discourage investors by making the business atmosphere hostile. On the flip side, we also cannot afford a sector-specific approach like the US because that would, in my opinion, require setting up tribunals which are expensive affairs in their own right. It might help create a nimble and professional business ecosystem but the SC has deprecated the practice of ‘tribunalising’ the justice system and hence might frown on it.
Moreover, preferring a tribunal award for appeal would anyway drag it to the courts. On the balance, the approach taken by the committee seems prudent, reasonable and most importantly actionable. It incorporates helpful provisions from both approaches. One change, if a change is necessary, needs to be further qualification and truncation of the sweeping exemptions to government agencies that can be easily given under the law.
- Justice K.S. Puttaswamy and (anr) v Union of India (2017) 10 SCC 1
- State IT secretaries conf. Ministry of Information and Technology february 12 and 13 ‘18. P.8
- The white paper submitted by Justice Srikrishna committee also adopted a similar approach of synthesis of global models of data protection. (refer to the discussion in P. 10-13 of the white paper)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: