An individual’s right to privacy was re-affirmed by the Supreme Court in 2017 in the Justice Puttaswamy case in which concerns were raised pertaining to violation data privacy caused due to collection of data under the Aadhaar scheme. At one point the government had sought to make mandatory linking of Aadhaar to every service, but the Supreme Court made linking of Aadhaar voluntary, except for availing benefits under government schemes. It also made linking of PAN Card and Aadhaar card mandatory, in order to avoid tax frauds.
It was due to this case that the need for a legislation to regulate data protection and to safeguard people’s right to privacy arose. In the above-mentioned case, the Supreme Court had reaffirmed right to privacy to be a fundamental right. A committee was set up by the government in 2017 under chairmanship of retired Supreme Court Judge Justice Srikrishna. The report of the committee has been in deliberation since it was submitted to the government and finally this draft bill has been presented.
The bill in brief
The bill includes many recommendations from the report as provisions. It has some salient features such as definition of personal data, sensitive personal data and handling of data of children, it also provides for withdrawal of consent and seeking of express consent. The bill imposes a lot of regulations on social media aggregators/intermediaries which may have significant impact on electoral democracy, security, public order, sovereignty and integrity of India designating them as significant data fiduciaries. Thus, bringing companies like Google, Facebook, Twitter, Whatsapp under its ambit.
As a whole, the bill seems to be giving protection of people’s data high priority and is also making entities possessing such data accountable, by imposing severe penalties for acting in contravention to provisions pertaining to protection of data, informing on breach of data and so on. It also provides for creation of an Authority to deal with complaints against breach of data and any other complaints against data fiduciaries as also an Appellate Authority for faster redressal of complaints.
The bill covers all personal data collected or shared by the State or any company or citizen or body corporate even outside the territory of India which carries out business in India or one which engages in profiling of data. On technical terms, the bill seems robust and comprehensive, especially in the definitions it has accorded to different categories of personal data; thus, indicating that the Ministry has taken due note of the Justice Srikrishna report and based the law purely on its findings, albeit not completely.
The main issue being, it gives the government certain exemptions from having to abide by the provisions on several counts which are arbitrary and vague in their definition and which could be misused by the government from time to time, to justify its actions of breaching people’s data and for doing away with seeking consent.
Waiver of consent
Section 11 of the bill provides for processing of data only by the consent of the data principal, i.e. the person to whom the data belongs. Section 12, however, waives this consent for the government enabling it to process data without the consent of the data principal. It provides that this can be done by the government for performance of its functions for provision of service or benefit, for compliance with order/judgment of any court, to respond to medical emergency, to provide health services and to undertake measures to ensure safety during a disaster or breakdown of public order.
Further, it allows formulation of any regulations under the law to waive off consent for “reasonable purposes” while taking into consideration certain factors such as public interest, interest of data fiduciary and so on. Reasonable purposes may include prevention and detection of unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available data, operation of search engines.
Rectification of Data
Section 18 speaks about rights of the data principal to correct inaccurate data, complete incomplete data, updating data and erasing data that is no longer necessary for the purpose for which it was processed. The same section gives the data fiduciary the authority to reject such an application made by the data principal for making changes in his/her own data, while providing reasons for such rejection.
Right to receive one’s own data
Section 19 provides for receipt of data by data principal which is process by automated means. Within the same section the State is exempted if the processing is done for functions of the State or in compliance of any law and if such compliance to data principal’s request would reveal a trade secret of a data fiduciary.
Blanket exemption
Section 35 gives an almost blanket exemption to the government to deal with the data principal’s data , without having to follow the provisions of the law, if such processing of the data (which includes sharing) is in the interest of sovereignty, integrity and security of the state, if it affects friendly relations with a foreign state, for preventing incitement of commission of cognizable offence relating to the aforementioned. There is also exemption of certain provisions if data is processed in interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law; if disclosure is necessary to for enforcing legal rights; if it is necessary for any judicial function; if processing is necessary or relevant for journalistic purpose.
Exemption for purposes of research, archiving or statistical purposes
Section 38 provides that if data processing is necessary for research, archiving, or statistical purposes then it shall be exempt from application of provisions of this law if the compliance with the provisions of the law might disproportionately divert resources from such purpose; purposes of processing cannot be achieved if the personal data is anonymised; if data processed does not cause significant harm to data principal and so on.
It is hoped that the joint select committee that examines the law comes up with some suggestions and recommendations that do not expose people’s personal data to be exploited by the government under these ‘exemptions’ which they are mostly likely to misuse and use as a defence for breaching people’s data.
The complete bill as presented in the Lok Sabha may be read here.