CRITICAL ANALYSIS OF DATA PROTECTION BILL AND DATA LOCALIZATION
Author: Mayank Gandhi, I year of B.A.,LL.B(Hons) from Maharashtra National Law University Nagpur.
The Personal Data Protection Bill 2019 put in front the legal framework for digital economic growth of India, to protect the privacy of individuals, to regulate the transfer and processing of data. This bill is maintaining the balance between the informational privacy of individuals and digital economics& governance.
This research paper aims to demonstrate how this bill will play a significant role in the development of the digital economics of India, how it will enshrine the legal values related to privacy. We will first look at the provisions of the bill. Secondly, we will critically analyze the bill to know the positive and negative repercussions of the bill, and lastly, we will discuss what technical measures should be adopted for implementing and enforcing the bill to develop the culture of free and fair digital economy and protect the rights of individuals.
Keywords: Personal Data Protection Bill, Digital Economy, Right to privacy, GDPR, Data Protection.
The personal data protection bill was proposed on the 11th day of December 2019 by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad in the Lower House of the Indian Parliament. It has laid down the foundation for storing, processing and regulating the data and has taken some major provisions from GDPR such as storage and processing of data, security and compliance, dispute resolution etc.
The main aim of this bill is to put the interest of an individual at the top level and empower them to control their own data. In today’s digital era, data has the potential to reveal sensitive information posing a potential threat to the privacy of an individual. It has become an important source of income for companies and corporate houses etc. as they make targeted advertisements to pursue users to purchase the product by analyzing the user’s personal data, but this bill will now restrict such companies from collecting unnecessary and excessive information from their users and will prevent commercialization of data.
Protection of personal data of individuals will lead to progress, growth and empowerment of individuals as well as the country. The bill is formulated on the basis of the European Union’s General Data Protection Regulation (GDPR). It has been drafted taking into consideration the privacy of the individual and digital economic growth of the country so that it can foster a free and fair digital economy.
In the case of Kharak Singh v. the State of U.P, the Supreme Court for the first time recognized that the right to privacy is a fundamental right under article 19 and 21 of the constitution and in 2017, Supreme Court in the case of K.S. Puttaswamy v. Union of India. declared the Right to Privacy as a Fundamental Right and affirmed that “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21”.
To achieve the true essence of this unanimous verdict, Indian Government established the Justice B.N.Shrikrishna committee to draft the personal data protection bill.
Before the commencement of this bill, sensitive personal data was regulated by Sensitive Personal Data Rules (SPD rules) issued under section 43A of IT act 2000 but due to continuous growth in digital sector, these rules have become deficient, and under these rules the definition of sensitive personal data is unduly narrow, leaving out several categories of personal data from its protective remit. Therefore these rules are lacking at the application and implementation part and not properly protecting the data of individuals.
Currently more than 120 countries had brought legislation on data protection, so it was the need for the hour for the government to put forward data protection regulation framework.
For all the above-mentioned reason, The Personal Data Protection Bill 2019 was tabled by Mr. Ravi Shankar Prasad in Lok Sabha.
Main Provisions of the Bill
Categorization of Data: The Personal Data Protection Bill 2019 clearly defines the term personal data, sensitive personal data and critical personal data. The bill states that data about or relating to a natural person who is directly or indirectly identifiable is “Personal Data”. Personal data which may reveal financial, health, sex life, sexual, biometric, genetic, caste, official, religious, political data etc. is “Sensitive Personal Data”. Any data which is deemed critical for the government can be declared as the “Critical Personal Data”.
Establishment of Data Protection Authority: The main function of this authority is to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and to promote awareness about data protection. The authority is empowered to take appropriate action in case of violation of personal data, to provide and enforce the act. It is also authorized to provide trust scores, examine audits and supervise the cross-border transfer of data.
Rights of Data Principal: There are various rights endowed by the act onto the data principal such as right to ask for confirmation and correction, right to objection and restriction, right related to data portability, right to be forgotten.
Right to be Forgotten: This bill entitles the data principal to restrict data fiduciary from disclosing his/her personal data if it is no longer necessary or it is no longer relevant or if consent is withdrawn or if such disclosure is in violation of provisions of any law.
Right to Data Portability: This bill entitles the data principal to receive the personal data in an organized, structured, commonly used and readable format if it is processed through automated means.
Right to seek Correction and Confirmation: After the commencement of this bill, data principal is now authorized to ask a data fiduciary whether his/her personal data is processed or not, he can ask for correction of personal data if such data is inaccurate or incomplete or out-of-date/obsolete.
Critical Analysis of Data Protection Bill
In this section we have discussed the advantages and disadvantages of The Personal Data Protection Bill of 2019.
Advantages: The bill has attempted to balance the right of privacy of data principal and growth of digital economy. Current status of laws regulating the data is that they are cumbersome and obsolete.
The bill has established an independent data protection authority which will oversee data audits, redress the grievances of data principals and regulate cross-border transfer of data.
The bill has given various rights to data principals such as the right to be forgotten, right to data portability etc. which will protect the interest of data principals and will empower data principal to know how his/her data is processed.
It has imposed obligations on social media companies to build a verification mechanism so that they can verify users and prevent unwanted trolling and spamming.
This bill authorize the government to direct any data fiduciary to provide non-personal data which will help government in making informed, effective and efficient policy for the digital economy.
The companies can only collect personal data for a clear, specific and lawful purpose with the consent of data principal, and it will prevent data fiduciaries from taking advantage of data for profit generating.
Disadvantages: Government can use any non-personal data for their policy making and for the betterment of services but such excessive and unregulated use of non-personal data will impose a great threat on privacy of an individual because there are methods which can convert the non-personal data into personal data leading to the identification of an individual.
On paper, Data Protection Authority has given the status of being independent but in practical life it is not an independent authority because it consists of experienced civil servant such as cabinet secretary etc. who are appointed by the government and their tenure and the budget of the authority is regulated by the government which will indirectly or directly impact the transparency, accountability and functioning of the authority. If a member of the authority has any conflict with the interest, purpose or decisions of the central government, then central government for their benefit can remove the member of the authority, and it will run a sever risk on independency of the authority.
Government can excess any type of data for reasonable purposes, but the term ‘reasonable purpose’ is not defined, which will lead to the misuse of data.
Central Government can exempt any government agency from the purview of the data protection bill. According to the Justice B.N.Shrikrishna committee unreasonable exemption given to the government agencies, will create an “Orwellian state” and will have severe consequences.
This policy may bounce back at the government because now companies will have to follow more rules and regulations, acquire more licenses and build more infrastructures to store the data in India, which will adversely affect the profit of the company and may lead to the wind-up of their business in India. This whole process is very complex, tedious and cumbersome.
Today’s era is one of technology and speed, and such a nationalistic and protectionist approach will hinder the digital growth of India. In this competitive internet market, speed and cost matter the most, but such a nationalistic approach (storing the data in India only and restricting the flow of data) will increase the cost of data fiduciaries and will hamper the speed of data flows.
The Indian personal Data Protection Bill of 2019 is the first legislation made by the government to protect the right to privacy of individuals. The bill empowers individuals to regulate their data, get information from data fiduciaries about how their data is used. The key provision of this bill is ‘Data Localization’ which aims to store sensitive and critical data in India, to fulfill the objective of national security and provide access to data to the government for surveillance.
Although there are some loopholes or deficiencies in this bill which need more consideration such as not properly attending the concern regarding the right to privacy, ambiguity about the functioning of DPA etc. If government really wants to make this bill successful then it will have to relax its policies regarding cross border transfer of data, make functioning of DPA independent in real sense, include retired judges of Supreme Court or High Court and persons having expertise in data protection field in DPA and fix their tenure, build strong bilateral or multilateral treaties with other countries through negotiations for cross–border transfer of data and lastly government should give lawful and reasonable exemptions to its national security agencies such as Central Bureau of Investigation (CBI), Research and Analysis Wing (RAW), Intelligence Bureau etc. so that they can use personal and non-personal data for detection of criminals and prevention of any cognizable offence. Overall, this whole bill has huge potential to protect the interest of individuals and give a boost-up to our economy.