The Data Protection Bill 2019 which was introduced on 11th December 2019 in the Lok Sabha, broadly based on the Justice B.N. Srikrishna Committee Report of 2018, is in itself a matter of seminal importance. The Central Government was seized of the report for a year after its submission for making amendments before tabling it in Parliament. At present, the bill stands under the roving scrutiny of a Joint Parliamentary Committee headed by M.P. Meenakshi Lekhi. The Bill assumes seminal importance in the face of deeply pervasive threats such as over-arching surveillance, non-consensual third-party data sharing, monitoring content on private platforms and data proliferation in the name of improving business prospects & marketability of products and stands in sync with the mandate of the Supreme Court in the K.S. Puttaswamy(Privacy) Judgment, which urged the Central Government to frame appropriate legislation to embolden the concept of individual privacy. It codifies, regulates, systemizes and strengthens the rights of a data principal by putting individual consent at the heart of the legislation.
The Supreme Court was amply clear that the right to privacy is an absolute right but in context of this bill and even otherwise, Privacy of an individual could better be viewed as civil and political right which would be predicated on the structure of society rather than solely being identified as something intrinsic to human beings.
The Data Protection Bill largely is thoroughly based on the Data Protection law in Europe- namely the General Data Protection Regulation (GDPR). The Bill envisages a Data Protection Authority of India which would supervise the actions of all data fiduciaries and function with the paramount objective of safeguarding the interests of Data Principals. The framework of the proposed law defines and categorizes a person’s data as- Personal Data, Sensitive Personal Data and Critical Personal Data; Data categorized as sensitive personal data includes information relating to biometric data, genetic data, health data, financial data, sexual orientation/activity, intersex/transgender status, political and religious leanings of a person. Critical Personal data has not been defined in the bill and the Government from time to time can notify what constitutes critical personal data (by inference it would inevitably include the bio-metric & genetic data and such unique identifiers of a person). Under the bill, Data Fiduciaries mean to include any person, company, entity and even the State which would ‘determine the purpose and means of processing personal data’. A data fiduciary would not be entitled to process personal data of a person for any illicit purpose and neither can it process personal data without the free, clear, specific, informed and retractable consent. The collection of such private data cannot be unlimited and all-inclusive but needs to be limited to the purpose it would & ought to serve. However, these fetters on processing personal do not extend in cases where- vital economic functions of State (authorized by Parliament/State Legislature) are to be performed; compliance of a Court’s judgment is involved; in a state of Public health or medical emergency; to restore public safety in breakdown of public order. Furthermore, data processing without consent can be done for other ‘reasonable purposes’ which would include prevention & detection of unlawful activities, mergers & acquisitions, whistle blowing, credit scoring & debt recovery and in operation of search engines.
Other important features of this law entail data localization- which essentially means that sensitive personal data of individuals cannot be transported & processed outside the country without the explicit consent excepting in emergency situations, which can vary from medical treatment to extradition of fugitives. A significant milestone of this proposed law is the incorporation of the concept of Right to be Forgotten. This right was originally conceptualized by the European Court of Justice when it ruled against Google Spain which had maintained links of an individual, Mario Costeja Gonzalez and records of a forced sale of his property to satisfy a debt, which had been published in a Spanish Newspaper. The European Court of Justice concluded that the continuing linkage violated both the European Privacy Directive and Charter Fundamental Rights of European Union as the information was embarrassing and not news worthy because Gonzalez was not a public person. Originally, the Right to be forgotten includes several possibilities- one is the right of delisting (not to appear on search engines); second is right to end any further dissemination of information and not freely accessible for inspection without proper application, consent of data principal and verification; and third being a right of full erasure whereby the information is disabled or extricated from the source. As for as this bill this right could be enforced by making an application to the Adjudicating Officer who would after considering certain laid down factors. An emphasis has been made on two aspects, One- maintaining transparent norms with respect to processing of data by data fiduciaries & that such regulations to promote transparency should be enacted and Two- that information processed should be managed securely by methods of encryption, de-identification, prevention of unauthorized access and misuse in a priority wise fashion which may be calculated on risk of harm it may cause if divulged or leaked.
It aims to further enhance accountability of data fiduciaries by mandating maintenance of records by way of periodic review of security regulations & upgrading them accordingly, by data protection impact assessments and by conducting timely audits of the policies of data fiduciaries by independent auditors on scale of effectiveness and adherence to the provisions of the Act, regulations and internationally accepted norms.
Lastly, it hopes to impose prohibitive fines amounting in crores of rupees in cases of data breaches, data leakage, data misuses and for acts in derogation of this law.
There are criticisms of this bill which have come from no less a person than Justice B.N. Srikrishna himself who has termed this bill as the onset of “Orwellian State” by attempting to centralize data and moreover use it in the name of national security and state sovereignty. More recently, Registrar General of India, the NCRB and the NIA at the JPC deliberations raised concerns about interpreting Section 35 and Section 36 conjunctively which would essentially mean that few organizations should be given a free hand & be permanently exempted from consensually accessing data as laid down in the bill.
All taken, the bill largely aims at securing data of individuals by laying down elaborate methods giving notice & of obtaining consent and accepting to implement international standards in being able to withdraw consent in cases of sensitive personal data and that of the Right to be Forgotten. Most importantly it carefully demarcates a thin line between the law enforcement agencies being able to perform their duties as entrusted by Law while it respects the freedom of speech of journalists by exempting their work (subject to their code of ethics) and it firmly restores individual autonomy which itself remains at stake until this bill becomes effective Law.
This Law will in itself be authoritative until the world-renowned Historian Yuval Noah Harari’s incipient words in his latest book ’21 Lessons for the 21st Century’ come true-
“Soon authority might shift again- from humans to algorithms. Just as divine authority was legitimized by religious mythologies, and human authority was justified by the liberal story, so the coming technological revolution might establish the authority of Big Data algorithms, while undermining the very idea of individual freedom.”