Skip to main content
Sabrang
Sabrang
Freedom Politics

New data protection law comprehensive but full of exemptions

In the Winter session of this year, the ‘Personal Data Protection Bill’ based on the recommendations and findings of the Justice Srikrishna report, has been tabled in the Lok Sabha. The bill, however, has been referred to a joint select committee consisting of 30 members who will submit their report by the budget session next year after many opposition parties wanted changes to be made to the law.

Sabrangindia 12 Dec 2019

data protection

An individual’s right to privacy was re-affirmed by the Supreme Court in 2017 in the Justice Puttaswamy case in which concerns were raised pertaining to violation data privacy caused due to collection of data under the Aadhaar scheme. At one point the government had sought to make mandatory linking of Aadhaar to every service, but the Supreme Court made linking of Aadhaar voluntary, except for availing benefits under government schemes. It also made linking of PAN Card and Aadhaar card mandatory, in order to avoid tax frauds.

It was due to this case that the need for a legislation to regulate data protection and to safeguard people’s right to privacy arose. In the above-mentioned case, the Supreme Court had reaffirmed right to privacy to be a fundamental right. A committee was set up by the government in 2017 under chairmanship of retired Supreme Court Judge Justice Srikrishna. The report of the committee has been in deliberation since it was submitted to the government and finally this draft bill has been presented.
 

The bill in brief

The bill includes many recommendations from the report as provisions. It has some salient features such as definition of personal data, sensitive personal data and handling of data of children, it also provides for withdrawal of consent and seeking of express consent. The bill imposes a lot of regulations on social media aggregators/intermediaries which may have significant impact on electoral democracy, security, public order, sovereignty and integrity of India designating them as significant data fiduciaries. Thus, bringing companies like Google, Facebook, Twitter, Whatsapp under its ambit.

As a whole, the bill seems to be giving protection of people’s data high priority and is also making entities possessing such data accountable, by imposing severe penalties for acting in contravention to provisions pertaining to protection of data, informing on breach of data and so on. It also provides for creation of an Authority to deal with complaints against breach of data and any other complaints against data fiduciaries as also an Appellate Authority for faster redressal of complaints.

The bill covers all personal data collected or shared by the State or any company or citizen or body corporate even outside the territory of India which carries out business in India or one which engages in profiling of data. On technical terms, the bill seems robust and comprehensive, especially in the definitions it has accorded to different categories of personal data; thus, indicating that the Ministry has taken due note of the Justice Srikrishna report and based the law purely on its findings, albeit not completely.

The main issue being, it gives the government certain exemptions from having to abide by the provisions on several counts which are arbitrary and vague in their definition and which could be misused by the government from time to time, to justify its actions of breaching people’s data and for doing away with seeking consent.
 

Waiver of consent

Section 11 of the bill provides for processing of data only by the consent of the data principal, i.e. the person to whom the data belongs. Section 12, however, waives this consent for the government enabling it to process data without the consent of the data principal. It provides that this can be done by the government for performance of its functions for provision of service or benefit, for compliance with order/judgment of any court, to respond to medical emergency, to provide health services and to undertake measures to ensure safety during a disaster or breakdown of public order.

Further, it allows formulation of any regulations under the law to waive off consent for “reasonable purposes” while taking into consideration certain factors such as public interest, interest of data fiduciary and so on. Reasonable purposes may include prevention and detection of unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available data, operation of search engines.
 

Rectification of Data

Section 18 speaks about rights of the data principal to correct inaccurate data, complete incomplete data, updating data and erasing data that is no longer necessary for the purpose for which it was processed. The same section gives the data fiduciary the authority to reject such an application made by the data principal for making changes in his/her own data, while providing reasons for such rejection.
 

Right to receive one’s own data

Section 19 provides for receipt of data by data principal which is process by automated means. Within the same section the State is exempted if the processing is done for functions of the State or in compliance of any law and if such compliance to data principal’s request would reveal a trade secret of a data fiduciary.

Blanket exemption

Section 35 gives an almost blanket exemption to the government to deal with the data principal’s data , without having to follow the provisions of the law, if such processing of the data (which includes sharing) is in the interest of sovereignty, integrity and security of the state, if it affects friendly relations with a foreign state, for preventing incitement of commission of cognizable offence relating to the aforementioned. There is also exemption of certain provisions if data is processed in interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law; if disclosure is necessary to for enforcing legal rights; if it is necessary for any judicial function; if processing is necessary or relevant for journalistic purpose.
 

Exemption for purposes of research, archiving or statistical purposes

Section 38 provides that if data processing is necessary for research, archiving, or statistical purposes then it shall be exempt from application of provisions of this law if the compliance with the provisions of the law might disproportionately divert resources from such purpose; purposes of processing cannot be achieved if the personal data is anonymised; if data processed does not cause significant harm to data principal and so on.

It is hoped that the joint select committee that examines the law comes up with some suggestions and recommendations that do not expose people’s personal data to be exploited by the government under these ‘exemptions’ which they are mostly likely to misuse and use as a defence for breaching people’s data.

The complete bill as presented in the Lok Sabha may be read here.

 

New data protection law comprehensive but full of exemptions

In the Winter session of this year, the ‘Personal Data Protection Bill’ based on the recommendations and findings of the Justice Srikrishna report, has been tabled in the Lok Sabha. The bill, however, has been referred to a joint select committee consisting of 30 members who will submit their report by the budget session next year after many opposition parties wanted changes to be made to the law.

data protection

An individual’s right to privacy was re-affirmed by the Supreme Court in 2017 in the Justice Puttaswamy case in which concerns were raised pertaining to violation data privacy caused due to collection of data under the Aadhaar scheme. At one point the government had sought to make mandatory linking of Aadhaar to every service, but the Supreme Court made linking of Aadhaar voluntary, except for availing benefits under government schemes. It also made linking of PAN Card and Aadhaar card mandatory, in order to avoid tax frauds.

It was due to this case that the need for a legislation to regulate data protection and to safeguard people’s right to privacy arose. In the above-mentioned case, the Supreme Court had reaffirmed right to privacy to be a fundamental right. A committee was set up by the government in 2017 under chairmanship of retired Supreme Court Judge Justice Srikrishna. The report of the committee has been in deliberation since it was submitted to the government and finally this draft bill has been presented.
 

The bill in brief

The bill includes many recommendations from the report as provisions. It has some salient features such as definition of personal data, sensitive personal data and handling of data of children, it also provides for withdrawal of consent and seeking of express consent. The bill imposes a lot of regulations on social media aggregators/intermediaries which may have significant impact on electoral democracy, security, public order, sovereignty and integrity of India designating them as significant data fiduciaries. Thus, bringing companies like Google, Facebook, Twitter, Whatsapp under its ambit.

As a whole, the bill seems to be giving protection of people’s data high priority and is also making entities possessing such data accountable, by imposing severe penalties for acting in contravention to provisions pertaining to protection of data, informing on breach of data and so on. It also provides for creation of an Authority to deal with complaints against breach of data and any other complaints against data fiduciaries as also an Appellate Authority for faster redressal of complaints.

The bill covers all personal data collected or shared by the State or any company or citizen or body corporate even outside the territory of India which carries out business in India or one which engages in profiling of data. On technical terms, the bill seems robust and comprehensive, especially in the definitions it has accorded to different categories of personal data; thus, indicating that the Ministry has taken due note of the Justice Srikrishna report and based the law purely on its findings, albeit not completely.

The main issue being, it gives the government certain exemptions from having to abide by the provisions on several counts which are arbitrary and vague in their definition and which could be misused by the government from time to time, to justify its actions of breaching people’s data and for doing away with seeking consent.
 

Waiver of consent

Section 11 of the bill provides for processing of data only by the consent of the data principal, i.e. the person to whom the data belongs. Section 12, however, waives this consent for the government enabling it to process data without the consent of the data principal. It provides that this can be done by the government for performance of its functions for provision of service or benefit, for compliance with order/judgment of any court, to respond to medical emergency, to provide health services and to undertake measures to ensure safety during a disaster or breakdown of public order.

Further, it allows formulation of any regulations under the law to waive off consent for “reasonable purposes” while taking into consideration certain factors such as public interest, interest of data fiduciary and so on. Reasonable purposes may include prevention and detection of unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available data, operation of search engines.
 

Rectification of Data

Section 18 speaks about rights of the data principal to correct inaccurate data, complete incomplete data, updating data and erasing data that is no longer necessary for the purpose for which it was processed. The same section gives the data fiduciary the authority to reject such an application made by the data principal for making changes in his/her own data, while providing reasons for such rejection.
 

Right to receive one’s own data

Section 19 provides for receipt of data by data principal which is process by automated means. Within the same section the State is exempted if the processing is done for functions of the State or in compliance of any law and if such compliance to data principal’s request would reveal a trade secret of a data fiduciary.

Blanket exemption

Section 35 gives an almost blanket exemption to the government to deal with the data principal’s data , without having to follow the provisions of the law, if such processing of the data (which includes sharing) is in the interest of sovereignty, integrity and security of the state, if it affects friendly relations with a foreign state, for preventing incitement of commission of cognizable offence relating to the aforementioned. There is also exemption of certain provisions if data is processed in interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law; if disclosure is necessary to for enforcing legal rights; if it is necessary for any judicial function; if processing is necessary or relevant for journalistic purpose.
 

Exemption for purposes of research, archiving or statistical purposes

Section 38 provides that if data processing is necessary for research, archiving, or statistical purposes then it shall be exempt from application of provisions of this law if the compliance with the provisions of the law might disproportionately divert resources from such purpose; purposes of processing cannot be achieved if the personal data is anonymised; if data processed does not cause significant harm to data principal and so on.

It is hoped that the joint select committee that examines the law comes up with some suggestions and recommendations that do not expose people’s personal data to be exploited by the government under these ‘exemptions’ which they are mostly likely to misuse and use as a defence for breaching people’s data.

The complete bill as presented in the Lok Sabha may be read here.

 

Related Articles

Sunday

03

Jan

Pan-India

Saturday

05

Dec

05 pm onwards

Rise in Rage!

North Gate, JNU campus

Thursday

26

Nov

10 am onwards

Delhi Chalo

Pan India

Theme

Stop Hate

Hate and Harmony in 2021

A recap of all that transpired across India in terms of hate speech and even outright hate crimes, as well as the persecution of those who dared to speak up against hate. This disturbing harvest of hate should now push us to do more to forge harmony.
Taliban 2021

Taliban in Afghanistan: A look back

Communalism Combat had taken a deep dive into the lives of people of Afghanistan under the Taliban regime. Here we reproduce some of our archives documenting the plight of hapless Afghanis, especially women, who suffered the most under the hardline regime.
2020

Milestones 2020

In the year devastated by the Covid 19 Pandemic, India witnessed apathy against some of its most marginalised people and vilification of dissenters by powerful state and non state actors. As 2020 draws to a close, and hundreds of thousands of Indian farmers continue their protest in the bitter North Indian cold. Read how Indians resisted all attempts to snatch away fundamental and constitutional freedoms.
Migrant Diaries

Migrant Diaries

The 2020 COVID pandemic brought to fore the dismal lives that our migrant workers lead. Read these heartbreaking stories of how they lived before the pandemic, how the lockdown changed their lives and what they’re doing now.

Campaigns

Sunday

03

Jan

Pan-India

Saturday

05

Dec

05 pm onwards

Rise in Rage!

North Gate, JNU campus

Thursday

26

Nov

10 am onwards

Delhi Chalo

Pan India

Videos

Communalism

Hate Speech is rampant while Free speech is criminalised | Teesta Setalvad

Eminent speakers like Justice Anjana Prakash, Saba Naqvi expressed grave concerns over the draconian laws, used to put down the struggles of the labouring masses and the manner in which the law enforcement have been taking down students, academicians, political and human rights activists, artists, Dalits, Muslims and tribal people.

Communalism

Hate Speech is rampant while Free speech is criminalised | Teesta Setalvad

Eminent speakers like Justice Anjana Prakash, Saba Naqvi expressed grave concerns over the draconian laws, used to put down the struggles of the labouring masses and the manner in which the law enforcement have been taking down students, academicians, political and human rights activists, artists, Dalits, Muslims and tribal people.

IN FACT

Analysis

Stop Hate

Hate and Harmony in 2021

A recap of all that transpired across India in terms of hate speech and even outright hate crimes, as well as the persecution of those who dared to speak up against hate. This disturbing harvest of hate should now push us to do more to forge harmony.
Taliban 2021

Taliban in Afghanistan: A look back

Communalism Combat had taken a deep dive into the lives of people of Afghanistan under the Taliban regime. Here we reproduce some of our archives documenting the plight of hapless Afghanis, especially women, who suffered the most under the hardline regime.
2020

Milestones 2020

In the year devastated by the Covid 19 Pandemic, India witnessed apathy against some of its most marginalised people and vilification of dissenters by powerful state and non state actors. As 2020 draws to a close, and hundreds of thousands of Indian farmers continue their protest in the bitter North Indian cold. Read how Indians resisted all attempts to snatch away fundamental and constitutional freedoms.
Migrant Diaries

Migrant Diaries

The 2020 COVID pandemic brought to fore the dismal lives that our migrant workers lead. Read these heartbreaking stories of how they lived before the pandemic, how the lockdown changed their lives and what they’re doing now.

Archives