By
Shohni T.A & Sanjay G, IV year of B.A.,LL.B. from BMS COLLEGE OF LAW
Data Protection is also known as Data Privacy or Information Privacy, which means the process of safeguarding information from loss or corruption. Very huge amounts of data can be stored in the computer and easily searched, that data can easily be transferred or stolen. Data can be classified into two types namely public data and private data. Public data is all information in the public domain, which is accessible to the public at large like court records, birth and death records. It is that information that can be used, reused and distributed by anyone with no restrictions on usage or access. Whereas Private data is personal to the individual or organisation it cannot be disseminated by anybody without any permission of the subject. Private data includes photographs, browsing details, preferences, locations, travel history, financial details. Everything we do online reveals our existence. The importance of data protection increases as the amount of data created and stored grows.
Why was Bill introduced for Data Protection?
India has no particular law governing exclusively for data protection. India has adopted International declarations such as the Universal Declaration for Human Rights and International Covenant on Civil and Political Rights, which recognise the right to privacy[i]. German cybersecurity firm reported that medical details of many Indian patients were leaked and also freely available on the internet, this is the alarm for India to take certain action to protect data leakage[ii].
The firm listed studies and medical images such as CT Scans, MRIs and patient photos were available. These data were made available as there is an absence of security in the Picture Archiving and Communication System servers used by medical professionals. Public data leakage has become common in India, even from government websites data are leaked. The Hon’ble Supreme Court of India held that ‘’Right to Privacy’’ is a fundamental right for an individual flowing from the right to life and personal liberty under Article 21 of the Indian Constitution. The Supreme Court of India also observed that privacy of personal data and facts is an essential aspect of the right to privacy. Indian government came up with a draft of the Personal Data Protection Bill.
In July 2017 Justice B.N. Sri Krishna committee was set up to examine various issues related to data protection in India. They also submitted a report along with a draft personal data protection bill, 2018 to the ministry of electronics and information technology in July 2018. The bill received too much objection so, after that again, it came up in 2019 with some modification, but even after this it was referred to the parliamentary committee for detailed examination.
Data Protection Bill, 2019
Shankar Prasad on 11th December 2019 in the lower house of the parliament. The Bill’s main aim is to protect personal data of every individual, and also wants to further establish a data protection authority to look into the matters.
Important Aspects of the Bill
The present bill provides the proper legal framework for collecting and use of personal information along with this it can also create the authority called Data Processing Authority to make a set of regulations enforcing the legal framework for processing of personal data.
The important feature of this bill is its applicability. It will apply to all enterprises in India. This uses automated means to collect data. Another important factor is the data protection authority can decide which small entities based on turnover, volume.
Personal Data
Personal Data’s definition has been expanded to include online and offline data about a natural person, ‘’or any combination of such features with any other information’’, and to include any ‘’ inference drawn from such data for profiling.’’
Kinds of Personal Data
There are three kinds the first one is personal data which is already defined above, and the second is sensitive personal data it can transfer for processing outside the country, but with the user’s consent and the data protection authority’s or central government’s permission, but need to be stored in India only. Sensitive personal data includes financial data, health data, sexual orientation, transgender status, caste, tribe, and religious or political beliefs. The central government and ‘’Data protection authority’’ can together also notify further kinds of data as sensitive personal data. ‘’Passwords’’ have been removed from the list of sensitive personal data listed in the bill.
Third is critical personal data which has not been defined and will be notified by the central government; it can be processed only in India.
Further, the bill makes consent the important feature in it. The bill also says that the personal data of an individual should be accessed based on free, informed, and detailed consent. Along with the clauses that consent can be withdrawn. According to section 11 and section 57 of the data protection bill, 2019, if the data is processed without the proper consent, will be laid to breach and the penalties can be levelled on that.
Social Media Intermediary
A social media intermediary defined as “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.” This does not include intermediaries which enable commercial or business transactions, provide access to the internet, email services, search engines, and online encyclopaedias.[iii]
Section 12 of the data protection bill, 2019
Under this section, there are certain grounds where the personal data can be accessed without the consent of an individual. The grounds are for the benefit of the individual, for a medical emergency, to maintain law and order etc.
Social media intermediaries, classified as significant data fiduciaries, will now have to give account verification options to willing users, and such users will be given a visible mark of verification. This will be voluntary.
Section 16
According to this section, data fiduciaries must institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
Chapter IV of the data protection bill, 2019
Under this chapter the two board aspects are:
1. Ensuring that age verification mechanism is in place, and (ii) barring the profiling and tracking of children, the monitoring of children’s behaviour, and targeting of advertising to children.
2. For processing the personal data of children’s parents’ consent is needed. As in India, the person can enter into any contract, but after 18 years only. So, consent also can be given when the individual attends the age of majority only.
Section 20
The right to be forgotten
This section gives powers to every individual right to prevent or restrict the continuing disclosure of personal data by any data fiduciary.
When they can get this power: - When the disclosure purpose is done, and no longer necessary, if the disclosure consent is withdrawn by the individual, when the disclosure was made opposite to the rules of the new bill. The request has to be made by the individuals to the adjudicators to avail this right to be forgotten.[iv]
Negative Aspects
All though there are many strong and advancing provisions in the data protection bill, the data protection bill has many loopholes.
A social media intermediary has been defined as “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.” This does not include intermediaries which enable commercial or business transactions, provide access to the internet, email services, search engines, and online encyclopaedias.
Damage to Privacy
The government under this bill is entitled to access personal data for reasons like national security, integrity. This may lead the state to interfere in the personal lives of its citizens. The state possesses an enormous threat to privacy. It is also in contravention to Right to Privacy under Article 21 of the constitution, which is also the fundamental right of the people guaranteed under the Constitution of India. There are discussions about definitions of personal data and non-personal data. The definition and distinction of both should be laid in the bill. All data in future will contain personal data leading to the application of data privacy and protection bills. The data analysis technology is moving towards perfect identification which is more likely to relate to a person. The Bill causes discrimination in general, which imposes several restrictions on business activities because many businesses have to discriminate on different grounds for smooth functioning.
Risk of data and privacy breaches
In the bill the clause that provides users with the options of voluntarily checks their identity. This provision would raise the risk of data breaches and establish control in the hands of many social media companies which offer such verifications systems to be installed. This will increase the risk of user privacy breaches too. The bill also mandates companies to share non-personal data with the government, on the grounds of public good and planning. This not only has privacy concerns it's disastrous for companies too.
Thus, the data protection framework should be based on seven aspects that are technology agnosticism, holistic application, informed consent, data minimization, controller accountability, structured enforcement and deterrent penalties. Technology agnosticism means the law must be flexible. Holistic application means the application of the law to both private sector entities and government, consent is the expression of human autonomy, data processing should be minimal and data controller should be accountable for any data processing. Enforcement of laws related to data must be by high powered statutory authorityand penalties on wrongful processing must be adequate to ensure deterrence.
[i]Journal of the National Human Rights Commission, Volume 17
[ii]The Economic Times, Feb 4th,2020