Data Protection Framework in India – Explained, pointwise

Introduction

The Union Government has withdrawn the Personal Data Protection Bill, 2019 from the Parliament. The Government has said that it is considering a ‘comprehensive legal framework’ to regulate the online space. This includes bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data to boost innovation in the country. The Government has withdrawn the Bill after nearly 4 years of the Bill being in the works. It had gone through multiple iterations, including a review by a Joint Parliamentary Committee (JPC). The Bill had faced major pushback from a range of stakeholders including big tech companies (like Facebook and Google), privacy and civil society activists.

The Joint Committee of Parliament had proposed 81 amendments to the Bill and gave 12 recommendations on creating a comprehensive legal framework for the digital ecosystem in India. The Government will consider the report of the JPC and work on the new framework.

What were the key provisions of the Personal Data Protection Bill, 2019?

Personal data definition: The Bill defined ‘personal data’ as any information which renders an individual identifiable. Also, it defined data ‘processing’ as collection, manipulation, sharing or storage of data.

Territorial applicability: The Bill included the processing of personal data by both government and private entities incorporated in India. It also covered the entities incorporated overseas if they systematically deal with data principals within the territory of India.

Grounds for data processing: The Bill allowed data processing by fiduciaries if consent was provided by the individual.

Sensitive personal data: It included passwords, financial data, biometric and genetic data, caste, religious or political beliefs. The Bill specifies more stringent grounds for the processing of sensitive personal data, such as seeking explicit consent of an individual prior to processing.

Data Protection Authority: The Bill provided for the establishment of a Data Protection Authority (DPA). The DPA would have been empowered to: (a) Draft specific regulations for all data fiduciaries across different sectors; (b) Supervise and monitor data fiduciaries.

Cross-border storage of data: The Bill stated that every fiduciary shall keep a ‘serving copy’ of all personal data in a server or data centre located in India.

Transfer of data outside the country: Personal data (except sensitive personal data which is ‘critical’) may be transferred outside India under certain circumstances.

What was the criticism of the Bill?

First, the technology companies had questioned a proposed provision in the Bill called data localisation. Under this, it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and the export of undefined “critical” personal data from the country would be prohibited. 

Second, the activists had criticized the provisions that allowed the Union government and its agencies blanket exemptions from adhering to any and all provisions of the Bill.

What were the recommendations of the Joint Parliamentary Committee?

The JPC had called for expanding the scope of the proposed law to cover discussions on non-personal data. It had thus changed the mandate of the Bill from personal data protection to broader data protection. Non-personal data are any set of data that does not contain personally identifiable information.

It had recommended changes on issues such as regulation of social media companies, and on using only “trusted hardware” in smartphones, etc. 

It proposed that social media companies that do not act as intermediaries should be treated as content publishers — making them liable for the content they host.

What is the need for Data Protection Law in India?

First, India has one of the highest numbers of data breaches each year and many sites, both government and private, suffer from data losses and leaks. Recently, data of almost 28 crore Indian citizens registered in the Employees’ Provident Fund Organization (EPFO) were leaked online. This included sensitive information like full name, nominee details, Aadhaar details, bank account details, etc. 

Second, With a billion population, India has the second highest internet user base in the world. India has 450 million internet users and is expected to increase up to 730 million by 2020. Therefore, a strong data protection law is needed to protect their personal data.

Third, for efficient management of data in the age of digitisation, a data protection law is needed. One of the major challenges to big data is information privacy which necessitates a robust data protection. Further, the Supreme Court (SC) in K.S Puttaswamy vs Union of India case, maintained the right to privacy as an inherent part of the fundamental right under Article 21 of the constitution.

Fourth, the delay will result in an unnecessary vacuum for many of the laws already taking shape, like the Criminal Procedure Identification Act used for police surveillance and digital policing. 

Fifth, To curtail the perils of unregulated and arbitrary use of personal data. As most of the servers like Google and Facebook are outside India.

What is the status of Data Protection in other Nations?

The EU: The most important data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union. The law applies to all EU residents, regardless of the entity’s location that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR. Some important requirements of the GDPR include: (a) Consent: Data subjects must be allowed to give explicit, unambiguous consent before the collection of personal data; (b) Data Breach: Organizations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users’ personal information in most cases; (c) Rights of the Users: Data subjects (people whose data is collected and processed) have certain rights regarding their personal information. 

The e-Privacy Regulation (ePR) was supposed come into force alongside the EU’s General Data Protection Regulation in 2018 but has been stalled for years. It is now expected to come to force in 2023. The e-Privacy Regulation, if passed, would create privacy rules for traditional electronic communications services and entities such as WhatsApp, Facebook Messenger, and Skype. It would create stronger rules on electronic communication’s privacy. It would cover content of the communications as well as metadata. Service providers and electronic communications networks have to get prior consent from the user before processing their electronic communications metadata. 

The US: There is no one comprehensive federal law that governs data privacy in the U.S. There’s a complex patchwork of sector-specific and medium-specific laws like: (a)The Children’s Online Privacy Protection Act (COPPA), which governs the collection of information about minors; (b) The Health Insurance Portability and Accounting Act (HIPAA), which governs the collection of health information.

In addition, many States in the US have their own data protection and privacy acts like California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), New York SHIELD Act etc.

What should be done going ahead?

Legal and Privacy Experts have proposed that:

First, the new Law should focus on personal data and exclude non-personal data. Personal data protection falls in domain of privacy and allows an individual to control how information about her is used. Non-personal data regulation more related to economic aims. The mandate of BN Srikrishna Committee was to suggest framework for protection of personal data. Brining in non-personal data, the Government had diluted the proposed law.

Second, there must be checks on the use of the data by the Government and its Agencies. Privacy advocates have been calling for reform of Indian surveillance laws. The new law must minimize the amount of data collected by security agencies, limiting how long it can be stored, requiring agencies to adopt security measures to safeguard the data.

Third, there is a need for a strong data regulator. The new regulator should work closely with other regulators and stakeholders like the RBI, TRAI etc. for sector specific regulations e.g., RBI has already issued some data related regulations like mandating local storage of payments data, barring merchants and payment aggregators from storing card data.

Fourth, the Government should also allow cross-border flow of data. Data localisation should be limited only to clearly and narrowly defined critical data. Cross-border data flows add to the economy growth. A McKinsey Global Institute paper from 2016 estimates that global data flows contributed US$ 2. 8 trillion to the global GDP.

Fifth, the new legal framework should be finalized only after extensive public consultation. This will ensure that the protection of the rights of Indian citizens is the cornerstone on which this new legal framework is built.

It has been close to 10 years since the (Justice) A P Shah Committee Report on privacy, 5 years since the Puttaswamy Judgment and 4 years since the Justice B N Srikrishna Committee’s Report. All of this signals an urgency for a data protection law and surveillance reforms.

Syllabus: GS II, Government policies and interventions for development in various sectors and issues arising out of their design and implementation; GS III, Awareness in the field of IT.

Source: Indian Express, The Hindu, The Times of India