This article is written by Yash Sharma, a law student at Vivekananda Institute of Professional Studies, Indraprastha University, New Delhi. This article deals with the issues in the Bill namely “Personal Data Protection Bill, 2019” in the context of its provisions.
Table of Contents
The Personal Data Protection Bill, 2019 was presented in the Lok Sabha by Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology, on 11th December 2019. This Bill was presented to safeguard the personal data of the individuals under the right to privacy under Article 21 of the Indian Constitution as held by the Supreme Court of India in Justice K.S. Puttaswamy Case. The Bill further tries to protect the privacy of individuals, by securing the use of their personal data by data processors or data fiduciaries.
This Bill in its regulatory nature not only creates a safe environment for a data principal to get his/her data processed but also protects the right of data fiduciary to profess. The Bill gives both the partners in this relationship certain rights and liabilities for it to work effectively. This Bill makes sure that the judgement made by the Supreme Court and the rights under the Constitution is protected and safeguarded.
It attempts to create a secure mechanism for processing of data, establishing certain norms for social media intermediaries, cross-border transfer, liabilities of agencies processing personal data, remedies for illegal, unauthorized and harmful processing, and to lay down a framework of a Data Protection Authority for India for the above said purpose. The need for the Bill is also derived from the growth of the digital economy and the purpose of monitoring the valid use of data as a means of communication.
The Objective of the Bill
In the case of Justice K.S. Puttaswami and Anr Vs. Union of India [WP 494 of 2012], a nine-judge constitutional bench of the Supreme Court, recognized that “privacy” is a part of fundamental rights under Article 21 of that Constitution that is “Right to Life”. Subsequently, in 2018, the Supreme Court while dictating its final judgment in the above case, stated the need for a mechanism to protect data and called upon the government to do it.
The Committee of Experts on Data Protection, chaired by Justice B.N. Srikrishna, was constituted by the Government on 31st July 2017. Its mandate was to assess the issues relating to data protection. The committee headed by Justice BN Krishnan drafted the Personal Data Protection Bill of 2018, and based on that bill certain suggestions and recommendations were made. Based on the recommendation made under the report submitted by the committee and suggestions received from various stakeholders, the enactment of the said Bill, namely, the Protection of Personal Data Bill, 2019 was put in motion.
The main objective of the Bill is to establish a strong and efficient data protection framework for India and to set up an Authority for monitoring the use of personal data and empowering the citizens with a redressal mechanism, for ensuring their right to “privacy and protection of personal data” guaranteed is protected.
Application of the Act
The Bill applies on the processing of personal data by data fiduciaries, those include:
- companies incorporated in India, and
- foreign companies dealing with personal data of individuals in India.
The Bill defines the personal data as any data through which the identity of an individual to whom that data belongs could be reached out or identified. Personal data includes data embodying characteristics, traits or attributes of identity, which can be used to identify that individual. Within the definition of personal data, it also includes the concept of “sensitive personal data” and those include-
- financial data;
- health data;
- sex life;
- biometric data;
- genetic data;
- religious or political belief or affiliation.
Obligations of Data Fiduciary
A data fiduciary is any person, company, a juristic entity on an individual including the State who has by the means of contribution or help from others or alone, determines the purpose and meaning to the processing of personal data. The liability on the fiduciary is imposed to not process any personal data except for a specific, clear or lawful object.
In a more specific way, it is the responsibility of the data fiduciary to process such personal data in a fair and transparent way and secure the privacy of the person whose data is being processed. Data fiduciary is obligated, in case of consented personal data to process it for purpose as stated for obtaining consent or in ways the person would expect that personal data to be used for the purpose, and in context of circumstances in which that data was collected.
The obligation of Data Fiduciary to Take Consent
Under Clause 11 of the Bill the obligation of data fiduciary to take consent and the legally prescribed way is also mentioned. The data fiduciary is obligated to collect data only to the extent to which it is necessary for the purpose and meaning of the data collection and processing. Every data fiduciary is required to give notice to the data principle at the time of collecting data and take consent before collecting data, or present with notice if not taken data from the principal as soon as reasonably possible.
The obligation of Data Fiduciary to Validate Data
The data fiduciary has the responsibility to take caution while collecting data and make sure that the data is complete, accurate, updated and not-misleading. They shall not start with the processing of the data without legal consent. The fiduciary shall not store the data for a period more than necessary for the purpose of the processing and shall delete the data post the purpose is achieved.
Grounds for Processing of Personal Data Without Consent
Under Chapter 3 of the Bill, the exemptions to process data without taking consent are mentioned. The clauses in it says that the collection of data without consent is possible in certain cases, such as for employment, the fulfillment of government policies, and other reasonable reasons, as enumerated in the Bill. The data of a person could be processed without consent by the state for performing its functions authorized by the law. Certain provisions allow the fiduciary to process such personal information, if it is to provide the data principal with some benefit of the State policies or to issue any certificate, license, or permit for any action or activity, to be approved by the State. Other incidents include-
For Purposes Related to Employment
Under Clause 14 of the Bill, it allows a person or company to process personal data not being the sensitive personal data. The exception is allowed for the purpose of termination, recruitment, the benefit of a service, attendance, or assessment of the performance of a person being data principal by the employer being data fiduciary.
For Other Reasonable Purposes
Personal data could be processed without taking consent for the purpose of prevention and detection of any unlawful activity including fraud, whistleblowing, mergers and acquisitions, network and information security, credit scoring; recovery of debt, processing of publicly available personal data; and the operation of search engines. This processing of data without consent for a reasonable purpose could only be done under proper regulations by the authority.
Categorization of Sensitive Data
The provision for “sensitive personal data” gives power to the Central Government to categorize certain data to be sensitive after consulting with the authorities. The category of sensitive data can be formed with a notification by the central government if the data contains such risk for data principal if processed by the fiduciary can cause damages to the data principle. Also, if there is a reasonable expectation of confidentiality with that sort of information or if a class of persons suffers damage from the processing of such personal data.
The authority may by regulation or restrictions provide additional safeguards for the purpose of repeated, continuous, or collection of such sensitive data for the benefit of personal data.
Personal Data and Sensitive Personal Data of Children
Chapter 4 of the Bill talks about instances in which personal data and sensitive personal data of children could be processed by data fiduciaries. It is the liability of the data fiduciary to protect the interests and rights of children while processing the personal data of that child. It also makes it the duty of the data fiduciary to verify the age and consent of the child. It is the processor’s responsibility to take consent of the parents or the guardian of the child before processing his/her personal data.
The Bill empowers the authority to classify any data fiduciary as guardian data fiduciary by formulating regulations if they operate commercial or social websites directed at children or process large volume personal data of children. At the same time, Guardian Fiduciary is prohibited to stalk, track or do behavioral monitoring of, or conduct targeted advertising directed at, children and doing any other personal data processing of the children which in ordinary circumstances cause significant harm to the children.
Rights of Data Principal
The Bill as it states in its objective tries to safeguard the right to privacy of an individual; on the same lines, the data principal or the person whose data has been collected for processing has been given some rights for him to ensure his personal data is not being misused.
Rights against Data Fiduciary
- The data principal can demand for a confirmation of the processing process status whether started or completed.
- The data principal has the right to take back their data from the fiduciary, which was collected for processing. They also have a right to demand summary of the processing.
- Information regarding the action by the fiduciary regarding the data collected for processing.
- The data principal has the right to know the identity of the data fiduciary or the other fiduciaries with whom the personal data of that person is shared subject to the regulations made by the authority.
Right to Correction
If the data principal feels it necessary for the purpose of data processing, subject to conditions of sharing, have the right to-
- Correct inaccurate or misleading information.
- Complete incomplete database.
- Update out-of-date data.
- Erase data not necessary for the purpose of processing.
- To receive an adequate justification for declining the request of the data principal to correct the data.
- If not satisfied by the justification, he can make the data fiduciary prove the correction made by the data principle to be disputed.
- To get notified by the data fiduciary if made any amends the personal data of the principal and also notify who may get affected by such information and has already been disclosed to previous information.
Right to be Forgotten
If the data principal wants certain data previously shared, to be discontinued from sharing, has the right to do so. Such a right could be exercised only if:
- The purpose of data sharing is fulfilled and is no longer required.
- If the consent is withdrawn.
- Data was taken for purposes prohibited by law.
Transparency and Accountability Measures
The Bill requires a fiduciary to maintain certain transparency standards in the processing of data. The fiduciary shall make available the data collection method, purpose, any risk involved, procedure of exercise of rights, rating, cross-border transfer information, and any other reasonable information or required to provide as per regulations.
The fiduciary is required to communicate the important operations in the processing of personal data. The data processor or fiduciary must know the nature, purpose, and risks involved in the processing of the data and harm that could be caused. Hence, processors should implement necessary security safeguards to protect the integrity of the personal data and necessary protection to avoid misuse or unauthorized use of such personal data.
They have to review their security policies systematically after every set period of time. They also have the duty to notify the competent authority about any breach in such a security mechanism. Even in the case of upgrading in processing technology or an increase in the bulk of personal data or processing of sensitive data like biometrics, they have to first get their security standards assessed as per the provisions under Clause 25 of the Bill.
This Bill requires processors to maintain updated data. As per the provisions of this Bill, fiduciaries are required to get their policies and conduct audited annually by some independent auditors. There shall be an appointment of a data protection officer whose main role is to monitor the security standards in the company and can give advice regarding the security policies of the company to the fiduciary. Every such fiduciary shall have a working redressal mechanism to entertain any grievances by the data principal.
Restriction on Transfer of Personal Data Outside India
Every fiduciary is required under this Bill to set up a storage port and server within India, with at least one copy of personal data collected for processing to what this act applies. The Bill lays down that personal data other than sensitive could be transferred to outside India, if-
- The transfer is made under a legal contract verified by the authority.
- Transfer to a particular country, sector, or organization is made permissible by the government after consulting from authority.
- Transfer or particular data or set of data is permitted by authority.
In case of sensitive personal data, it could be transferred after notification from Central Government only to-
- Health or emergency service where the data is necessary.
- To a certain country, organization, or sector to what the central government believes does not obstruct effective implementation of this act by notification.
For the sake of national security, any processing of personal data by the State is permissible only if it is in the pursuance of some law and under the procedure established by that law.
For prosecution, investigation, detention, and prevention of any offence or any other prohibited act is permissible only if it is done under some law authorizing it to do so enacted by the parliament or state legislature.
For enforcement of any legal right if the disclosure of such personal data or personal data processing is necessary to seek any relief, defend any charge, oppose any claim, or obtain any legal consultation from an advocate or a counselor in any impending legal proceeding such processing shall be exempted.
Processing of personal data for research, statistical, archiving purpose, domestic purpose, journalistic purpose, or manual processing by small entities is exempted under this Bill.
Data Protection Authority of India
For the purpose of establishing authority, under this act, the Central Government by notification can establish an authority to be called the National Data Protection Authority of India. The authority may, by approval of the Central Government, set up regional offices for the efficiency of work and better administration. The authority shall comprise a chairperson and six members. The selection board shall include Chief Justice of India or selected judge from Supreme Court as chairperson, The Cabinet Secretary, and an expert nominated by the Chief Justice of India or Supreme Court judge with consultation from the Cabinet Secretary.
The Chairperson of the authority will have the power of superintendence and to give direction for the affairs. The authority will itself appoint members and officers it deems necessary for discharging its duties under this act.
The most important function of the authority would be to protect the right to privacy that is to protect the interests of data privacy, prevent any misuse of the data, promote data security awareness and comply with the provisions of this act. Other responsibilities or the powers of the authority include formulating regulations and policies for all the purposes as stated above to regulate the data processing, inclusive of all such regulation required provisions.
The authority has the power to enact code for the practice in the good faith of the data processing companies and entities. The code of practice shall be formulated for an agency, association, or industry involving personal data processing. The authority has the role of maintaining the code and making necessary changes to adapt with the needful.
The Authority may, for the purpose of discharging of its functions under this Act, issue directions. From time to time as it may deem necessary directions can be issued to some data fiduciaries or data processors in general, or to a particular data fiduciary or a data processor. By the means of provisions of such order or directions a data fiduciary could be bound to comply with the directions.
The authority has the power to call for information for discharging its functions as required by the Bill from data fiduciaries and data processors. The authorized officer in the authority has the power to seize any computer resource or any other document if it gives any doubt of misconduct or violation of regulations under the act. The authorized officer in the authority has the power to seize any computer resource or any other document if it gives any doubt of misconduct or violation of regulations under the act.
For any authority to be accountable and efficient it must include some redressal mechanism. Under this Bill, the Central Government may notify any official gazette set up a tribunal for hearing and disposing of matters arising from the matters dealt in this act. As per the Bill first hearing shall be done in this appellate tribunal and the matter may be subjected to appeal in Supreme Court. The Bill further states that no civil court shall have jurisdiction over the matter whose power to deal is given to this Appellate tribunal.
This Bill makes transfer, disclosure, collection, or selling of personal data voluntarily, in contravention to the provisions of this act punishable. Any offense categorized under this act shall be cognizable and non-bailable despite the provisions of the Criminal Code of Procedure, 1973.
Offenses under the Bill include:
i) Collecting, processing or transferring of personal data by the data fiduciary in contravention to the provisions of this act shall be punishable with a fine of Rs 15 crore or 4% of the annual turnover of the company, whichever is higher.
ii) Due to negligence, failure to conduct a data audit as prescribed by this act shall be punishable with a fine of five crore rupees or 2% of the annual turnover, whichever is higher. Re-identification and processing of de-identified personal data without consent will be punishable with imprisonment of up to three years, or fine, or both.
Sharing of Data with Government
As per the provisions of this Bill, in the said procedure, the Central Government can obtain data from any data fiduciary or data processor of a non-personal data or anonymized data nature (data from which the personal identity of the data principal is not possible to obtain) by a simple order or direction.
Amendment to Information Technology Act, 2000
The amendments in the Information Technology Act, 2000 via this Bill is aimed to remove any provision related to the payable compensation by personal data collector or data fiduciary for any act contrary to the provision of this act.
For that purpose Section 43A of the Information Technology Act, 2000 is to be omitted, which states the provisions for compensation by any company, authority, agency or person dealing with sensitive personal data or information does some negligent act or practice causing wrongful loss.
The Personal Data Protection Bill, 2019 also amends Section 87(2)(ob) of the Information Technology Act, 2000 by omitting sub-section (2), clause (ob) from the parent act. The section states that data fiduciaries shall implement necessary security policies.
There are a number of issues in this Bill, but the one highlighted by Justice BN Srikrishna, who headed the Committee responsible for the drafting of the Personal Data Protection Bill (PDP), said that the Bill placed in Parliament after review and amends, allows the Centre to exempt its agencies from some or all provisions, that is why it is “dangerous” and can turn India into an “Orwellian state”.
Explaining the reason for that, he stated that under the provision for the exemption on the grounds of state security the government could exempt its data fiduciaries from rules that govern the processing of personal data on the grounds of national security, public order, and friendly relations with foreign states. However, this will be subject to procedures, safeguards, and oversight mechanisms of the respective agency, but that could be manipulated. Later it was stated by Justice BN Srikrishna that, in the draft Bill there were safeguard provisions against state and their power to use exemption on the grounds of state security but that is not showcased in the proposed Bill.
The exceptions mentioned in the Bill are very vaguely discussed, for example, the exemption to the provisions of this act for prosecution or investigation does not include the procedure of doing so and can be misused by the government for personal benefits and political motives. The provision does not specify whether for the purpose of prosecution, investigation, prevention of an offence, will there be certain personal data that does not satisfy that will not be processed or will be exempted from such processing. Just like, there is a doctrine of a reasonable restriction on fundamental rights, there shall be a reasonable restriction on the powers of authority to work under such exemptions.
In case of data transfer to fiduciaries or data collectors outside India, it states that the Central Government by notification can permit such fiduciaries to work outside India after consulting from the authority. But again, it does not state any criteria or on what grounds such companies, agencies or data fiduciaries will be permitted to process the data.
The Bill was drafted post the judgment of 5 judges constitutional bench to safeguard individual’s right to privacy under Article 21 that is “right to life” and as per the objective of the Bill, it was made enforceable against private individuals. The State was treated as a private individual in the scope and application of the Bill. The Bill fails to provide any redressal mechanism against authority. As per the Constitution, the foremost responsibility is of the State to protect the fundamental rights and any violation of such rights are enforceable against the state, but in this Bill, that enforceability is overridden by imposing the liability on the private institutions. The State is not made liable, as the authority works on the directives of the central government.
The Aadhar judgment of the Supreme Court was against the state to provide security to personal data and in that case, it is also the responsibility of the state to declare a specific objective of the data collection and processing but in the case of exemptions the state is also expected to provide with such information to the public or data principal whose data has been used.
The foremost issue in the Bill is that it leaves a possibility of total control on the sensitive data and other personal data of an individual or data principal by the government, which could turn into authoritarian rule. For redressal of that issue the possible suggestion is to provide provisions, like emergency provisions in the Constitution under Article 352 to Article 360, and the availability of judicial review of the judiciary making the state accountable for exercising the power under the exemption for the security of the state. Similarly, the State shall be required to receive an order or permit from the Tribunal or Supreme Court to process data without consent on the ground of national security and for the same shall be verified post the purpose is achieved.
Data principals having any grievances against the authority should have the right to file a case against them and not in the appellate tribunal as it makes it doubtful of the tribunal’s independence because the foundation of the appellate tribunal is built by the central government itself. The authority and central government make the appointment of the judges of the tribunal which puts an indirect influence of the authority over the tribunal judges. The cases against the authority should be entertained by the judiciary in the prescribed court with a mandate to hear or decide upon that case.
Experts’ opinion on the proposed Bill was that the government should take into consideration that the 200 billion rupees worth IT industry which is export-oriented should not be harmed in the process or the economy may take a hit from that. The government shall leave scope for innovation while dealing with the job of data protection. The flow of data in a cross-border transfer should be regulated in a balanced way so that the transfer of data can be adapted in a localized way for the sake of protection and security.
Lastly, the most controversial issue of the Bill is that the government is exempted from providing an objective for data collection and processing. The state authorized data should be addressed in a more transparent and accountable way so that data principle or class of persons getting affected from such processing could be given a reason or justification for the need for processing. And the right of an individual to take back their personal sensitive data should be made applicable against the state as well, with a right to get its grievances addressed in a more accountable and transparent setting.
This bill was drafted after the Supreme Court in its judgement in Justice Puttaswamy case made Right to Privacy a part of Right to life under article 21. The Supreme Court directed competent authority, in this matter, the Central Government to draft legislation for this. It is also the liability of the State to protect the professional practitioner’s right to profess under Article 19 of the Indian Constitution. For those reasons and objectives this Bill was drafted.
The Personal Data Protection Bill, 2019 is a regulatory bill, it establishes a proper framework under which the data fiduciaries can work and practise while making sure that their practise is not hurt due to excessive and unnecessary regulations. It gives data principals or persons whose data is taken for processing for a purpose certain rights and guarantees that their data is protected and not misused without his consent.
A major concern regarding the Bill is that it leaves a scope for the State to use personal data of any individual under exemptions. That concern was also expressed by Justice BN Shukla in the present, as he drafted the initial 2018 Bill. The exemptions remove the liability of the State to state a valid reason for using personal data without consent. This poses a threat of an authoritarian state rule. In response to the issue, it is suggested to add a provision for the State to provide a valid reason and obtain a court order before using such personal data without consent.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: