TLI Explains: Know About India's Draft Data Privacy Bill Which Seeks To Prevent Misuse Of Personal Data
After at least a year-long deliberation, the 10-member Justice Srikrishna Committee on July 27 had submitted to the government the draft of The Personal Data Protection Bill 2018 along with a report on the framework on data security in India. The committee report also draws a lot of inspiration from the General Data Protection Regulation (GDPR) that was recently introduced in the European Union.
The government has also sought public feedback on the draft bill. An August 14 notification on The Ministry of Electronics and Information Technology website said, “MeitY solicits comments from the general public on the Draft Personal Data Protection Bill by 10th September 2018.”
Why is the Data Protection Bill 2018 important?
Up until now, Indian laws provided little protection against the misuse of people’s personal data. SPD Rules (Sensitive Personal Data and information, 2011) is the one which governs the transfer of personal data on the internet. However, with the data protection bill, consent of the individual user becomes crucial to data sharing. Stating that the right to privacy is the fundamental right of individuals, the proposed bill says that internet users will have the final word when it comes to data usage and they will also have the right to withdraw consent as well. Therefore, the onus of data sharing lies exclusively with the owner.
The draft bill also noted that the relationship between an individual and the service provider must be viewed as a fiduciary relationship since the individual relies on the service provider to obtain a service, the latter is obliged to process the former’s data in a fair manner. Further, the bill has also defined personal data as information which makes it easier to identify an individual. Whereas, sensitive personal data includes passwords, financial data, biometric data, genetic data, caste, religious or political beliefs etc.
What does the bill mandate?
The draft bill also states that any party who is processing your data is obligated to do so in a fair manner. The Srikrishna Committee draft bill has also prescribed steep penalties for non-compliance as well. According to the Economic Times, if data is misused, then non-compliant parties will have to serve a jail term of three years or a fine of up to Rs 2 lakh, or both. Since the draft bill draws heavily from EU’s GDPR, it has also prescribed differing ranges of penalties for violation of different provisions. “For some other contraventions, including contravening the provisions on cross-border transfers, consent and grounds of processing, penalties extend to Rs 15 crore or 4% of the global turnover in the previous financial year, whichever was higher,” said Nehaa Chaudhari of TRA Law to the daily.
While amendments have been proposed to the Right to Information Act and the Information Technology Act, no amendments to the Aadhaar Act has been proposed yet. Reportedly, the scope of an individual’s rights is limited in the current draft bill as compared to EU’s laws, however, it still has adopted principles like the right to access and correction, right to portability, and right to be forgotten as well. While noting that obtaining consent is not possible under all circumstances, the bill has identified four different bases under which data can be processed non-consensually. These bases include processing of data for the purpose of the functioning of the Parliament or state legislature, for responding to a medical emergency or in cases of breakdown of public order among others. The bill also talks about exemptions from compliance with its provisions which include state security, prevention, investigation, or prosecution of any offence and for personal, domestic, or journalistic purposes.
Moreover, the draft bill has also mandated absolute data localisation which is complete storage and processing of critical personal data in India. Apart from this, it has imposed different localisation requirements for different kinds of data. The bill also required a copy of an individual’s personal information to be kept on a server or a data centre in India. However, with the EU’s law, data controllers are allowed to transfer data outside of EU if they fulfil certain conditions.
Recently, Facebook’s admission that personal data of 87 million users including five lakh Indian users was shared with Cambridge Analytica, has revealed the extent to which data can be misused over the internet. India lacks any substantial law that would tackle some of the burning questions related to the sharing of data on the internet. Even though this seems to be a step forward in the right direction, several media reports and experts have expressed concerns over the provisions of the Personal Data Protection Bill 2018.
The first problem is the bill’s data localisation norms. To meet the norm, companies would be obliged to set up local servers in India. This will make it difficult for existing companies to operate in the country. Nasscom in an email statement said, “Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets.” It further expressed concerns over Indian startups that are going global.
The draft bill also mandates the creation of a Data Protection Authority of India, thereby placing immense power in the hands of the central government. The decision of the central government when it comes to matters of policies will also be final and binding on the authority.
Moreover, unlike the GDPR which empowers the users by allowing them to completely delete their data which has been shared, the Personal Data Protection Bill 2018 does not mandate the same for Indian users. Instead, it’s “right to be forgotten’’ principle only allows users to restrict companies from using their data. Thereby, making it very crucial for the users to determine what is important data and what is not.
While misuse of personal data on the internet has become a burning issue and a reason for concern all over the world, authorities in India should aim to make the law more industry-friendly while keeping in mind the rights of individual users.