This article has been written by Shivani Singh pursuing the Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Zigishu Singh (Associate, LawSikho).
In recent times, data protection or data privacy has become a trending topic that is being discussed by almost everyone, irrespective of their professional background or nationality. Data or information has always been treated as a valuable asset that was in need of protection, throughout history. Different civilizations came up with different systems of security and myriad methods of encryption in order to protect the data or information they deemed important. Fast forward to the 21st century, the arrival of the digital age, and data has become more vulnerable than ever before. The reason is obvious; accessibility. Data is stored in the digital medium, which means that there is always a possibility of it being hacked or leaked. The digital world may have made our lives convenient by making everyday tasks doable with the simple click of a button on our smart gadgets. However, at the same time, it has put our lives on display for anyone who desires to know about us.
The governmental authorities around the world have come up with policies in order to tackle data breaches and protect the private lives of their people. In this article, we shall endeavor to explore the privacy policies of two such countries with diametrically opposite systems of government and carry out a comparative analysis of their approach towards data protection.
China’s Personal Information Protection Law
The much-awaited law was adopted by the 13th National People’s Congress on 20th August 2021 and came into force on 1st November 2021. The PIPL derived inspiration from the General Data Protection Regulation (GDPR) in defining ‘Personal Information’ under Article 4 as ‘all information related to identified or identifiable natural person’, which essentially means that, even if the information is not identifiable of a natural person but related to an identified person, such information will be covered under the ambit of ‘Personal Information’. The only exception is the anonymized data. The process of anonymization has been explained under recital 26. Under this policy, the data controller has been termed as ‘Personal Information Handler’ which includes organizations and individuals independently handling the personal data of the data subjects.
Scope of PIPL
Perhaps the most intriguing provision of PIPL is its scope as envisaged under Article 3. This particular provision envisages the application of the ‘Personal Information Processing’ rules to the processing even outside China, subject to certain conditions. Let us bifurcate the scope of processing into two parts:
The data processing restrictions will apply to not only the Chinese companies but also the affiliates of other MNCs based in China.
Beyond the borders of China
This is the most relevant aspect of the provision, wherein it has been enumerated that the rules of processing personal data will also apply to the handlers and processors outside China as long as it is for:
- Providing products and services to the Chinese nationals;
- Analysing/assessing the behavior of the natural persons in China; or
- Any other circumstances as provided by laws and administrative regulation.
Now the last criteria for the application of data processing laws is a little ambiguous as it has not been defined clearly in the policy. Thus making it susceptible to misinterpretation by the authorities as per their own whims and fancies.
Rights of the data subjects
The PIPL has specifically dedicated a whole chapter to the rights of the data subjects. It underlies ‘consent’ as the only qualifier for the data handlers and processors to do what they please with the data. Therefore the following rights have been granted to the data subjects:
- Right to knowledge, decision, restriction, objection and rescission.
- Right to access, copy and portability.
- Right to rectification.
- Right to deletion.
- Right to demand transparency, fairness and justice in data processing results.
The rights guaranteed to the data subjects provide them with the requisite tools so that they may protect their interests and prevent misuse of their personal data.
Regulation of data handlers and processor
There are certain obligations that are required to be adhered to by the data handlers and processors and they are enumerated as follows:
- Undertake security measures in order to avoid any leakage or misuse of personal data, which may include but not be limited to establishing an internal system for monitoring, having emergency back-up plans, implementing technical security measures.
- Appointment of ‘Data Protection Officers.’
- Appointment of a Representative by the handlers based outside China to oversee data processing compliances.
- Get audited for ensuring the adherence to the compliances.
- Assess the impact of the processing activities to be performed on the personal data.
- Quick response mechanism to be in place to handle breach.
Consequences for violation : penalty
In case of general situations of breach
The entities are ordered to rectify, any illegal gain is confiscated and a fine of not more than 1 million CNY. The fine for the persons responsible will range from 10,000 CNY to 100,000 CNY.
In case of severe breach
The entities are ordered to rectify, any illegal gain is confiscated, suspension of relevant activities, and a fine of 50 million CNY or 5% of the annual turnover. The fine for the persons responsible will range from 100,000 CNY to 1 million CNY and they are prohibited from holding key positions in the entity.
Depending on the gravity of the breach, imprisonment is up to 7 years.
India’s Personal Data Protection Bill, 2019
The draft bill for personal data protection, which aims at providing protection to data privacy, has been introduced in the Parliament of India but has not been passed yet, as it is still under review by the Joint Committee of Parliament (JCP). This bill has appeared in the headlines for drawing flak from social media entities and experts, as they point out that there are too many ambiguities in the provisions of the bill.
In 2017, the Supreme Court upheld that the Right to Privacy is a fundamental right, which can be included within the ambit of the right to life and personal liberty as mentioned under Article 21 of the constitution. Personal data has been defined under Section 3 clause (28) of the bill as:
‘Data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;’
This implies that any data which can act as an identifier for a natural person may be deemed to be ‘Personal Data’.
There is something called a Data Fiduciary under the draft bill, who is to be responsible for deciding the purpose and method of data processing. The data processors are going to process the data on behalf of the data fiduciary. The role of the data fiduciary will be to determine methods or ways to process data of the data objects. The data fiduciary will be obligated to take certain security measures in order to maintain the transparency of data processing, which may include employing encryption for data securing and having a grievances redress mechanism in place.
Scope of PDP
The bill will be applicable on the processing of data by:
b) Private entities incorporated in India; and
c) Foreign companies handling data of the Indian nationals.
Rights of data principals
The individuals whose data is being processed by a data fiduciary or processors have also been given certain rights under the bill. These can be summarized as follows:
- Right to seek information about whether their data has been processed by the data fiduciary.
- Right to seek correction or rectification of inaccurate and out-of-date data.
- Right to get their data transferred to another fiduciary in certain circumstances.
- Right to restrict the continuous disclosure of their data by a fiduciary when the purpose is resolved.
- Right to be forgotten.
Under the bill, the data is allowed to be processed by the fiduciaries only if the consent of the data principal has been given. Notwithstanding, the data can be processed without the consent of the data principal under the following situations:
1) If the data is to be used by the state to provide benefits to the individuals;
2) If it is for a legal proceeding; and
3) In case of medical emergencies.
The fact that the state can process the personal data of the individuals in the name of conferring benefits without their consent can be dangerous to the liberty and freedom of the people.
Relevant aspects to be noted
- The social media intermediaries have also been included within the ambit of the bill wherein a social media platform with a defined threshold of users and the capability to influence the behavior of the people in terms of elections and political affairs will have to follow certain obligations.
- Establishment of data protection authority in order to protect the misuse of personal data and monitor the processing by the various fiduciaries.
- The central government can exempt any of its entities from the scope of the bill in the name of ensuring the security, sovereignty, integrity or unity of the country.
- The government may ask the data fiduciaries to share non-personal or anonymous data if required.
The bill envisages a penalty of 15 crores or 4% of the annual turnover, whichever is higher, in case of violation of the provisions of the bill. The fine for failure to conduct a data audit will be 5 crores or 2% of the annual turnover, whichever is higher.
Data protection laws have been a necessity in an age where everything has gone digital, especially after the COVID-19 pandemic which further pushed people towards virtual reality. Both China and India have come up with their own versions of the data protection law. While these laws have certain similarities, their implementation might differ according to their political systems. However, both the legislations are susceptible to criticisms as they are capable of becoming a tool to control the individuals by the authorities.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/L9vr7LmS9pJjYTQ9