ANALYSIS - THE DATA (PRIVACY AND PROTECTION) BILL, 2017
Updated: Jul 15
Author: P Gayathri Menon, III year of B.A.,LL.B(Hons) from VIT School Of Law, Chennai.
Technology is developing day by day and thus the number of web users has also crossed 500 billion. Everyday a large amount of data (both personal & non-personal) is being shared without any security. This can lead to many catastrophic consequences such as the blatant invasion of an individual’s privacy. Hence, putting data privacy is very much required and is at the centre of public discourse is the need of the hour.
The Personal Data Protection Bill 2019, which was presented by the government in the Lok Sabha on December 11, 2019 can be considered as a major step towards this.
Through the establishment of a Data Protection Authority, the bill aims to protect the personal data of every individual. In the case of Puttuswamy v. Union of India a nine-judge bench of the Supreme Court has declared that the right to privacy is a fundamental right protected under Part III of the Constitution of India. Privacy of personal data and facts, is an indispensable aspect of the Right to Privacy and hence it is very important to ensure the same.
KEY PROVISIONS OF THE BILL
Clear and specific consent should be obtained from the individual before processing their personal data by the entities.
The government can direct an individual or an entity to get access to non-personal data in order to provide better services to the people.
Data related to health can be processed even without consent and can be transferred outside India in case of health or emergency services if the government has deemed such transfer to be permissible.
In certain circumstances like any function of Parliament or state legislature, compliance with any court judgement, to respond to a medical emergency or a breakdown of public order, purposes related to employment, for reasonable purposes as specified by the DPA, the Bill authorizes the central government to allow government agencies to process such personal data without prior consent of the individual.
If there is any involvement of national security, the government agencies have the right to access to personal data for any investigation pertaining to offences.
The Bill envisages setting up a Data Protection Authority to ensure compliance.
The prohibition of the transfer of personal data abroad is clearly mentioned in the bill. However, in certain conditions the sensitive personal data can be transferred outside India with permission but has to be strictly stored in India only.
All the critical personal data will only be processed in India, and the central Government is entitled to notify critical personal data.
In case any company fails to adhere to the provisions of the bill, there is a penalty of ₹5 crores or 2% of the turnover of the concerned company, whichever is higher.
The Bill empowers the citizens to seek correction of inaccurate, incomplete, or out-of-date personal data. They also have the rights to withdraw their consent, and restrict continuing disclosure of their personal data by a fiduciary, or have the data ported to other fiduciaries at any time.
WHO WILL HAVE TO COMPLY?
The bill imposes strict and mandatory new compliance requirements for data protection on most businesses in India.
Such requirements have to be satisfied by almost all businesses across India’s economy. This will include not just e-commerce, social media, and IT companies, where a large part of the population is involved but also brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies. The only exceptions provided by the bill is “small entities” (businesses like small retailers that collect information manually.
Some financial and telecommunications firms are also under the obligation to follow the mandates under the bill such as privacy and confidentiality requirements set out by their sectoral regulators. But for all other businesses, these rules would be new.
PROS OF THE BILL
Presently, much of cross-border transfer of data is regulated and administered by individual bilateral “mutual legal assistance treaties”, and law-enforcement agencies have to undergo a cumbersome process to get access to such data. Data localisation will also help the authorities in cases like investigation by allowing them easy access to data.
To ensure fewer security breaches in cyber-world and to decrease the rate of cybercrimes, the transformation of this bill to act is very necessary and helpful.
The cases of fake news are at an all-time high. Rumours that are being spread through social networking sites often lead to terrible consequences like lynching and even national security threats. The uncontrolled world of social media and internet within the borders of India can be monitored and kept in check so that a large number of spams can be avoided.
The Government will be able to ensure better source of income through the imposition of tax compliance by giant online firms.
The maintenance of data sovereignty will be ensured.
The Bill foists additional requirements on Data Collectors, such as the requirement of obtaining consent from the individuals. In case any information of children is required, the consent from their parents or guardian should be obtained
CONS OF THE BILL
Data localisation norm can make India an infeasible market for services, that cannot afford the financial or logistical costs of data localisation. Additional costs incurred by the digital service companies will be passed down to the customers.
The growth of start-ups is hampered by preventing them from expanding globally as the bill impose certain restrictions in accessing data.
The definition of ‘critical personal data’ is not well defined by the bill thus leading to an obscureness in the constitution of those data.
Such protectionist measures do not bode well with a globalised and competitive internet marketplace.
The Bill in the garb of ‘exemptions’ dilutes protections on individual data rights as well some of the fundamental rights guaranteed to them by the Indian Constitution.
Technology giants like Facebook and Google fear that the domino effect of the protectionist policy of the Bill will lead to other countries following suit.
Although, localisation of data may protect Indian data from foreign threats, placing the servers within the country will increase the risk of domestic threats due to lack of resources and robust infrastructure.