Data Protection Bill, 2019 and Right to Privacy

Introduction

After the General Data Protection Regulation passed by the European Union Parliament, in order to save the privacy of their citizens, it was necessary for India also to save the data of their citizens like identity of individuals, sensitive personal data like sex life, biometric data etc. and to set up a data protection authority in India which regulates the manner in which data of Indian citizens is being processed by global private entities. Thus, for these purposes, a bill was introduced in the House of the People known as the Personal Data Protection Bill, 2019.

What is Personal Data and Need for Privacy?

Personal Data is any information that relates to an identified or identifiable living individual and different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.[1]

In simple words, any information relating to an identified or identifiable natural person is personal data.[2] Personal data includes things like an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity, etc.

According to Black’s Law Dictionary, “privacy is the condition or state of being free from public attention to intrusion into or interference with one’s acts or decisions.”[3] It is something that protects the dignity of a human being. Privacy is one of the most important things that a person wants to have in his life. If the privacy of any person is revealed, it completely changes the behavior of any individual.

Personal data is just the replica of any individual and with the help of it one can find or know anything about the other person like credit card number, health data etc. so, it is very important to have a legislation which grants the right to privacy.

Right To Privacy as a Fundamental Right

Unlike some of the fundamental rights, for example, the Right to Freedom, the Right to Choose or Practice any religion, the Right to Life and Personal Liberty, etc. which have been explicitly mentioned in the Indian Constitution, the Right to Privacy has not been granted in specific and express terms. Thus, this right had been developed by the Supreme Court of India through case laws.

For the first time, the question regarding right to privacy was raised in the case of Kharak Singh v. State of Uttar Pradesh[4], in which Kharak Singh was a dacoit and due to lack of evidences he was left off but there were regular surveillances and as per some of the provisions of UP police regulations, the police used to conduct secret picketing of his house, and verification of his movements. So he filed a writ petition for violation of his right to privacy in which the majority of the Supreme Court judges held that the Indian Constitution does not confer any such Constitutional guarantee, although, the minority was in favor of inferring the right to privacy from the expression ‘personal liberty’ in Article 21 of the Indian Constitution.

This decision of the Supreme Court was further sustained in the case of Govind v. State of Madhya Pradesh[5], in which again the petitioner challenged the police regulations which allowed surveillance, domiciliary visits etc. where although the Court had recognised Right to Privacy as a Fundamental Right, a regulation which provided for surveillance was considered constitutional under the provision ‘Procedure established by law’ of Article 21 of the Indian Constitution.[6]

After these cases, in R. Rajagopal v. State of Tamil Nadu[7] in which the petitioners wanted to publish an autobiography of a prisoner but the prisoner was forced by the respondent not to do so, the Supreme Court held that ‘the right to privacy has acquired Constitutional status; it is implicit in the right to life and liberty guaranteed to the citizens under article 21 of the Constitution and a citizen has a right to safeguard the privacy of his own family, marriage, procreation, motherhood, childbearing and education among other matters.’

Finally, in case of K.S Puttaswamy v. Union of India[8] in which (retired) Justice Puttaswamy challenged the validity of Aadhar act as it violated the privacy of the citizens of India, the nine judge bench overruled the judgment of Kharak Singh v. State of Uttar Pradesh (eight judge bench) declared right to privacy as a Fundamental Right under Article 21 of the Indian Constitution and the right cannot be curtailed except according to procedure established by law which shall be just, fair and reasonable.

Apart from the case laws, right to privacy is one of the rights mentioned under Article 17 of the International Covenant on Civil and Political Rights and also under Article 12 of Universal Declaration of Human Rights both to which India is a party and reads as No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation and everyone has the right to the protection of the law against such interference or attacks.

Data Protection Bill, 2019

The Indian Government introduced the Personal Data Protection Bill, 2019 in the Lok Sabha. This bill consists of 98 sections and one schedule and was referred to Joint Parliamentary Committee for detailed examination, and the report was expected by the Budget Session of the year 2020 but is delayed. The Bill seeks to provide for protection of personal data of individuals, create a framework for processing such personal data, and establishes a Data Protection Authority for the purpose.[9]

After the declaration of Right to Privacy as a fundamental right, a committee was set up which was chaired by Justice B.N Sri Krishna to examine various issues related to data protection in India.[10] The committee had supported its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.[11]

The Statement of Objects and Reasons of the Personal Data Protection Bill, 2019 states that the bill is made on the recommendations of the report of the expert committee and the suggestions received from various stakeholders.[12] Some of the important recommendations from the 2018 draft are as follows –

1. It regulated the processing of personal data by the Government and private entities.
2. For the processing of data, the data fiduciary had obligations towards the individual such as notifying the individual.
3. Storage of critical personal data was solely allowed in the country.
4. Exemption was granted for the purpose of journalism, legal proceedings, interest of national security or research but can be questioned if it did not meet the standard of necessity and proportionality.
5. Data principals were given many rights such as access to the data when needed which is stored with the fiduciary.

There are certain important definitions mentioned in the Section 3 of the bill which are as follows –

“Data Fiduciary means any person, including the state, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing personal data.”

• “Data Principal means the natural person to whom the personal data relates.”
• “Data Processor means any person, including the State, a company, any juristic entity or an individual, who processes personal data on behalf of data fiduciary.”
• “De-identification means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal.”

Important Characteristics of the Data Protection Bill, 2019

1. The bill also proposes for a Data Protection Authority of India which shall take steps to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote awareness about data protection.[13] The authority shall consist of a chairperson and not more than six whole-time members who shall possess qualifications. and experience in law. The chairperson and the other members of the authority shall be elected by a selection committee consisting of – The Cabinet Secretary (Chairperson of the selection committee), the Secretary to the Government of India in the Ministry or Department dealing with legal affairs and the Secretary to the Government of India in the Ministry or Department dealing with the Electronics and Information Technology.
2. The bill tends to protect the rights of the citizens as no personal information can be collected, processed and shared without the consent[14] except in certain circumstances like when the personal data is needed by the State to provide benefits to the individual, in respond to a medical emergency, prevention of fraud, recovery of debt, legal proceedings etc. The bill gives the right to citizens to get notification regarding the purpose, nature and categories of data to be collected and also the right to receive confirmation whether their data is being processed or has been processed.[15]
3. As per the bill, even the private organizations will have to place limits on data collection, processing, and storage of customer’s data[16] and if any organization shares any data of their customers without their consent, the penalty proposed is as high as INR15 crores or 4% of its global turnover whichever is higher.[17]
4. Moreover, the bill also provides that sensitive personal data of an individual may only be transferred outside India only if there is explicit consent from the individual.
5. The bill also applies certain obligations on the Data Fiduciaries such as the collection of data shall be done only for lawful and specific purpose, notice shall be provided to data principal when their personal data is processed and verification of age shall be done while processing sensitive personal data of children.
6. Last but not the least, if the data fiduciary is not able to fulfill its obligations as per the provisions, it shall be liable for a penalty of INR 5 crores or 2% of its total worldwide turnover, whichever is higher.

Infringement of Right To Privacy by the Data Protection Bill

The bill had landed in controversy as it was different from what was proposed in the 2018 draft given by the expert committee. There are three main points which make the Personal Data Protection Bill, 2019 controversial, which are as follows –

Data Localisation

It is the most controversial part of the legislation. Data Localisation refers to the process of localising the citizen’s data to one’s home country for its processing, storage and collection before it goes through the process of being transferred to an International level.

The 2018 draft of the bill provided for storage of one serving copy of all personal data in India and disallowed processing of “critical” personal data abroad and subjected “sensitive” personal data to a tight regulatory mechanism like explicit consent, contractual clause, approval of DPAI (Data Protection Authority of India) and central government permission whereas the proposed bill only talks of “critical” and “sensitive” personal data and subjects those to a similar regulatory regime.[18]

Apart from this, it is not clear in the bill as to what is critical personal data as Section 33, sub–section (2) of the bill clearly states that the expression ‘critical personal data’ means such personal data as may be notified by the Central Government to be the critical personal data.[19]

Thus, it is very hard to guess as to what data will be kept within India and what critical and sensitive data will be provided to private entities like Google, Facebook, Twitter etc.

Exemption of Government Agencies

Section 35 of the Personal Data Protection bill, 2019 states that if the Central Government is satisfied that it is necessary or expedient in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States public order or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the state, friendly relations with foreign States, public order, it may, by order, for reasons to be recorded in writing, direct that all or any provisions of this Act shall not apply to any agency of the Government.[20]

In section 42 of the 2018 draft that was provided by the expert, the committee stated while granting exemptions to the central government only for “the security of the State”, had said the processing of personal data “shall not be permitted unless authorised pursuant to a law, and in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved”.[21]

The terms ‘security of the state’ and ‘public order’ have very wide meanings and are not certainly defined in any acts and not even in the Constitution of India. The term public order is so vague that it covers even a small riot, an affray, breaches of the peace or acts disturbing public tranquillity.[22] Thus, it might be possible that the government may infringe upon the privacy of any individual on the basis of these two terms.

Section 35 completely undoes the objective of this bill as it puts the power in the hands of the Central Government and specifically makes it a party, judge and adjudicator of its own cause and in view of the recent challenges (emerging out) of the reported Whatsapp and Google snooping events, the chances of abuse of power under Section 35 are immense, with no transparency and accountability towards the relevant data principal.[23] The ultimate target will never know how their personal data is being used by government agencies.

With the help of this section, the Government can snoop on the privacy of any person who may expose scams or irregularities of the Government which will certainly affect the Democratic principles of the world’s largest Democracy.

Social Media Intermediaries

As per the ‘Explanation’ given under Section 26 of the Personal Data Protection Bill, 2019, a social media intermediary is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily enable commercial or business oriented transactions, provide access to the Internet,  in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services.[24]

In order to curb the fake news which creates a lot of hatred among the people and also affects free and fair elections in any country, the proposed bill allowed the social media platforms the option to verify the accounts of their users. But the problem with this is that the manner in which the platforms are supposed to facilitate this verification is yet another critical matter that is left to the delegated legislation.[25] Further, there is no clarity on what documents will be accepted for the purpose of verification and what consequences will follow from this verification.[26]

And we all are aware of the fact that social media platforms have misused the critical personal data of individuals from time to time and not only this but many times there have also been instances of data stealing, thus, by verifying themselves, the citizens of India will be prone to a danger zone.

Conclusion

It is quite clear that the draft Personal Data Protection Bill which was proposed by the expert committee headed by Justice B.N Sri Krishna was drastically changed and produced in the House of the People. Apart from this, the Legislation lacks definition and clarity in many of the terms and sections and imposes a load of duty on the Executive.

Another important factor to note is that while the 2018 Bill had an entire chapter dedicated to ‘transitional provisions’ that provided for phased implementation of the provisions, the 2019 Bill has made a significant departure from this approach.[27] This implies that the 2019 Bill will come into effect on such date(s) as notified.[28] This may prove to be particularly burdensome given the limited time to effectively meet all the expectations and obligations set out under the 2019 Bill.[29]

Overall, again, the Parliament of India tries to follow the Doctrine of Colourable Legislation as when they can’t infringe the privacy of any citizens directly, they are trying to do it through vague legislation. Instead of providing privacy protection to the citizens of the country, this bill weakens it.

Although the Data Protection Bill, 2019 is not a bad effort, it is far from ready for enactment. Certain changes that shall be made are that the functions of the DAPA shall be provided explicitly in the bill, the term ‘critical personal data’ shall be made clear and what documents will be required for the verification by social media intermediaries and the manner in which they will verify shall also be made clear.

The article has been contributed by Kumar Amogh, a student at Law College Dehradun, Faculty of Uttaranchal University.

End Notes:

[1]Available at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en, last seen on 11/10/2020, at 11:45 A.M.

[2]Available at: https://www.truevault.com/learn/what-is-personal-data last seen on 11/10/2020, at 23:45 A.M.

[3]Bryan A. Garner, Black’s Law Dictionary, 3783 (8^th ed. 2004)

[4] AIR 1963 SC 1295: (1964) 1 SCR 332.

[5] AIR 1975 SC 1378.

[6] M.P Jain, Constitutional Law of India, 1169 (Reprint 7^th ed. 2016).

[7] AIR 1995 SC 264 : (1994) 6 SCC 632.

[8] (2017) SCC 1.

[9] Available at: https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know last seen on 12/10/2020, at 23:13 A.M.

[10] Ibid

[11] Ibid

[12] Ibid

[13] Available at: https://www.mondaq.com/india/data-protection/904330/key-features-of-the-personal-data-protection-bill-2019#:~:text=The%20Personal%20Data%20Protection%20Bill%2C%202019%20(%22PDPB%22),%2C%20on%20December%2011%2C%202019.&text=The%20PDPB%20inter%20alia%2C%20prescribes,%2C%20disclosed%2C%20stored%20and%20transferred. last seen on 12/10/2020, at 13:52.

[14] Available at: https://cisomag.eccouncil.org/all-you-need-to-know-about-indias-first-data-protection-bill/ last seen on 12/10/2020, at 14:58.

[15] Available at: https://www.nationalheraldindia.com/opinion/does-the-data-protection-bill-threaten-the-right-to-privacy#:~:text=The%20Bill%20bestows%20certain%20rights,processed%20or%20has%20been%20processed. last seen on 12/10/2020, at 17:28.

[16] Supra 16

[17] Ibid

[18] Infra 23

[19] The Personal Data Protection Bill, 2019 (pending).

[20] Ibid.

[21] Available at: https://www.businesstoday.in/current/policy/personal-data-protection-bill-2019-central-government-power-may-undermine-privacy-of-citizens-people/story/392186.html last seen on 12/10/2020, at 11:45 A.M.

[22] M.P Jain, Constitutional Law of India, 1044 (Reprint 7^th ed. 2016).

[23] Supra 23.

[24] The Personal Data Protection Bill, 2019 (pending).

[25] Available at: https://thewire.in/tech/indias-privacy-bill-regulates-social-media-platforms last seen on 12/10/2020, at 23:45.

[26] Available at: https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis last seen on 13/10/2020, at 00:24.

[27] Available at: https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis last seen on 13/10/2020, at 00:45.

[28] Ibid

[29] Ibid