Context

The Joint Parliamentary Committee (JPC) set up to go into the Personal Data Protection Bill, which was first tabled in Parliament in 2019, has finalised its report on the long-pending legislation that seeks to provide rights to individuals against the misuse of data pertaining to them, paving the way for its tabling in Parliament.

Background

• In the coming time when data is going to be figuratively considered to be more valuable than oil given its centrality in the new digital economy.
• In this regard, the Bill is expected to fill a big lacuna in India’s data protection regime.
• The Bill is a direct outcome of the 2017 Supreme Court judgment in the Justice KS Puttaswamy vs Union of India case, in which it recognised ‘privacy’ as a fundamental right.
• While passing its judgment in the case, it had directed the Centre to bring in a robust data protection law. 

Analysis

What is in the Bill?

• The original draft PDP Bill, which was introduced in Parliament in December 2019, was aimed at laying down provisions to safeguard “the privacy of individuals relating to their personal data" by, among other things, specifying the flow and usage of personal data and creating a relationship of trust between persons and entities processing the personal data.
• It’s designed to protect a user’s rights vis-a-vis the way her data is processed by creating “a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing".
• To implement the law, the Centre envisaged the creation of a Data Protection Authority of India.

Personal data The Bill defines ‘personal data’ as any information “about or relating to a natural person who is directly or indirectly identifiable" being linked thus to any “characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline".

Important provisions of the Bill

• The Bill covers the processing of any personal data which has its source within Indiaby the government and its agencies, Indian companies, private citizens or “any person or body of persons incorporated or created under Indian law".
  • It also extends broadly to entities based abroad who process data arising in India.
• Data owners: The owner of the data under the Bill are identified as ‘data principals’ while companies or entities storing or processing such data are classified as a’data fiduciary’.
  • Data processor: It also identifies any person or entity “who processes personal data on behalf of a data fiduciary" as a ‘data processor’.
    • A data fiduciary under the Bill is obligated to ensure that personal data is processed only for specific and lawful purposes with a focus on transparency and accountability.
  • Protection safeguards, grievance resolving: The collector of data is tasked with the responsibility of putting in place adequate data protection safeguards and creating a mechanism for receiving and resolving grievances submitted by users, among other things.
  • Right to seek confirmation: The Bill empowers individuals to seek a confirmation from the data fiduciary regarding the processing of their personal data and obtain rectification of inaccurate, incomplete, or out-of-date personal data.
  • Right to be forgotten: The bill had provisions to grant the right to be forgotten to data owners as well as the right to erase, correct and porting of data.
  • Fines for violation: The Bill also lays down hefty fines for the violations of its terms, going up to Rs 15 crore or 4 per cent of a company’s worldwide turnover, whichever is higher.

Concerns regarding the Bill

• It is argued that there are exemptions provided to government agencies to collect and process data in a way that violates a person’s right to privacy, held by the Supreme Court to be a fundamental right.
• Two specific features that have been flagged as being of concern are those contained in Articles 12(a) and 35of the Bill.
  • Article 12(a) does away with the need for informed consent of the data principal for the processing of her data
  • Article 35, lays down that the government may, “in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order" direct that “all or any of the provisions of this Act shall not apply to any agency of the government in respect of processing of such personal data".

Privacy is a fundamental human right specifically recognised under- Article 12 of the Universal Declaration of Human Rights Article 17 of the International Covenant on Civil and Political Rights ("ICCPR") The Protection of Human Rights Act, 1993 has referred to the ICCPR as a human rights instrument and the latter makes it mandatory for states to take steps for realisation of such right and ensure protection against interference by private parties.  Article 51 of the Constitution of India, which forms part of the Directive Principles of State Policy, requires the state to endeavour to "foster respect for international law and treaty obligations in the dealings of organised people with one another".

Why is data protection important?

• Data protection is the process of safeguarding important information from corruption, compromise or loss.
• The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates. There is also little tolerance for downtime that can make it impossible to access important information.
• Consequently, a large part of a data protection strategy is ensuring that data can be restored quickly after any corruption or loss. Protecting data from compromise and ensuring data privacy are other key components of data protection.

Data protection law in other countries European Union: General Data Protection Regulation (GDPR) California: California Consumer Privacy Act (CCPA) South Africa: Protection of Personal Information Act (POPI Act)

What are the challenges to data protection?

• Free flow, a threat to regulation: Data being borderless and accessible, sovereign states often face the challenge of governing and regulating data. 
• Growth of Data is Exponential: Data is growing faster than ever. More than 7 megabytes of new data is created every second.
• Fragmented rules: In India, there are a fragmented set of rules and vague redressal procedures.
  • For example- Information Technology Act, 2000 ("Act") and relevant rules formulated under the act, Payment and Settlement Systems Act, 2007, Indian Telegraph Act, 1885 and SEBI Data Sharing Policy, 2019 and RBI Guidelines on Cyber Security Framework for Banks and Information Security, 2016.
• Ambiguity: Regulatory ambiguity and inaction are very common and leads to huge losses.
• Lack of awareness: Lack of awareness on the importance and impact of personal data may be called into question only after such primary reasons are addressed.  

Conclusion

The past decade’s data explosion created a virtuous circle of data analysis and action, leading to new insights, data creation, and data analysis.

Thus, it is indeed crucial to respect the need for a reasonable timeline for the introduction and enforcement of data regulation.