It is safe to speculate that India’s data protection regime is set to undergo a metamorphosis in the recent future. The debate on privacy and data protection has become a pressing issue as the constitutional bench of nine judges, headed by the Chief Justice of India, is set to decide whether the right to privacy is a fundamental right and a committee headed by former Justice BN Srikrishna has been formed to suggest a draft Bill on data protection. It is in this series of important events that may contribute to India’s focus on data protection that the Data (Privacy and Protection) Bill, 2017, must be noted and duly acknowledged. The Bill was introduced as a Private Member’s Bill in the Lok Sabha in July 2017. The Justice BN Srikrishna Committee was formed, thereafter, to propose a draft data protection regime to identify current issues and possible statutory protections.
The Data (Privacy and Protection) Bill, 2017, grants a statutory Right to Privacy under Section 4. However, this Right to Privacy is only pursuant to Articles 19 and 21. While a statutory recognition of the Right to Privacy may be applauded for being a baby step in the right direction, it is critical to appreciate the dangers of linking the same with Fundamental Rights under Articles 19 and 21, as the contours of the Right to Freedom of Speech and Expression and the Right to Life are malleable and coloured by the decisions of the judiciary, keeping the socio-political reality of a period in mind. However, it is essential to note that this Bill applies not only to private corporations or body corporate, but is equally applicable to state entities, government agencies or any other persons acting on their behalf. Even the definition of a “third party” under this Bill includes the public authorities. This symbolises a significant change in law from the existing regime under the existing Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”).
The Bill also proposes to streamline the data protection regime in India by providing a holistic framework and proposes the creation of the Data Privacy and Protection Authority. This authority will act as both the regulator and adjudicator of disputes arising from the Act and will also have the power to initiate suo moto action against a data processor or controller. More importantly, the Bill proposes to have an overriding effect on the Information Technology Act, 2000, and the Telecom Regulatory Authority Act, 1997, and any other legislation addressing the collection, processing and storage of personal data.
Further, under the definitions provided in Section (2) of the Bill, both data processors and data controllers have been defined, providing clarity on who holds data. However, the Bill does not distinguish between the obligations or liabilities between data processors or data controllers. The Bill also has a pressing focus on the informed and unambiguous consent of a person providing personal information. In the context of sensitive and personal information, the person must provide his or her express and affirmative consent for the storage, use, processing of any such data.
Another change proposed by the Bill is the need for the publication of a Privacy Notice. While the SPDI Rules had a provision for publication of privacy policies on a body corporate’s website, the Bill goes a step forward by specifying the contents and format of this notice. It also helps in creating a statutory framework that is individualised based on the type of data being disclosed by a person and provides the person disclosing such data with the option to hold the data processor or controller liable, if the provided data is used for any purpose apart from what was intended or for longer than consent for storage was given. The Bill also provides a person with the Right to erase any of his data or withdraw consent or change the data provided. This option must also be displayed clearly in the Privacy Notice to educate the provider of personal information. The use of the word “Right” in this context gives teeth to the requirement of prior consent and an individualised Privacy Notice regime and has the potential to keep data processors and controllers on their feet to ensure the safety of any data they handle.
Section 10 of the Bill provides for the “Right” to seek withdrawal of data. This Right to seek withdrawal of data will impose a greater responsibility on data processors/controllers who must remove the data provided within the stipulated period. The creation of such a Right is subject to great debate, as witnessed in the context of the Right to be forgotten in the context of the European Union. Further, this Right is subject to certain limitations such as safeguarding public interest or in furtherance of a Court Order.
Section 14 of the Bill stated that “while giving consent, the person shall have a “legitimate expectation” that the data controller/processor will abide by the provisions of this Act, who must take all security measures necessary for safeguarding such personal data with “due diligence”. While the intentions of the Bill are to provide a person with a safety net against data protection breaches, it is essential to elucidate the difficulty in matching such standards of protection as cyber-attacks and data thefts continue to evolve, often leaving existing security measures redundant. This may open the floodgates of litigation. The Bill also introduces the concept of pseudo-anonymisation of data, so that a person cannot be identified using such information without the use of additional data. However, pseudo- anonymisation has not been mandated but is only “encouraged”, leaving gaping loopholes especially in the context of protection of sensitive, personal data.
Under Section 36, no person can assist in or conduct surveillance of a person. However, an exemption has been made for state agencies, subject to certain restrictions and prior approval by the DPPA. The time duration for storing such data must be specified and no data that is no longer necessary for the State agency can be accessed after a year from the DPPA’s approval to ensure the state does not disrespect a person’s right to privacy incessantly. On a similar note, individual profiling has been prohibited by the Bill and any instance of profiling would amount to an invasion of a person’s Right to Privacy. However, with respect to sensitive, personal data, Section 20(2) provides that no sensitive data shall be processed for any other purpose apart from its intended use but can be used by welfare schemes and social protection laws. Hence, this would imply that the Aadhaar scheme of BHIM (Bharat Interface for Money) would also have access to a person’s personal, sensitive information. This Section is analogous with the present dispute at the Supreme Court and will continue to be subject to debate due to the existing privacy concerns.Lastly, the Bill has made all offences under its provisions cognisable offences and has increased the monetary penalty and imprisonment period for all existing breaches. Further, the concept of applying a high monetary penalty on a per day basis, based on number of days of violation of data protection), has been imposed, to ensure defaulters are forced to take appropriate measures to remedy the breach on a timely basis. Hence, while this Bill introduces a few much-needed changes in terms of expanding the scope of applicability f data protection laws and recognising the Right to Privacy, such euphoric provisions are equally shadowed by sections that enable usage of sensitive, personal data for welfare schemes, thereby imposing statutory limitation on the Right to Privacy. Yet, what remains certain is that a change in the existing framework is the need of the hour and if recent events are indicative of this metamorphosis, change is just around the corner!
Enakshi Jha is a law graduate from NALSAR University of Law.