Revised Personal Data Protection Bill Allows The State To Unilaterally Infringe Right To Privacy In The Name Of SovereigntyAnd Security :Justice BN Srikrishna

The webinar commenced with Justice Srikrishna underlining the importance of technology during the COVID-19 pandemic. He then focused on the value of our personal data which was being monetized by e-commerce entities wanting to expand their customer reach.

"Our data gives an edge to e-commerce portals and allows them to reach their customers. Therefore, our data has value; huge monetary value. In our country, there has been a huge debate on this issue, and the Supreme Court has given contradictory views on this".

Referring to the foundation of Right to Privacy in India, Justice Srikrishna referred to the time when Government of India had introduced the biometric system, Aadhaar. Proponents of Right to Privacy challenged the mandatory institution of Aadhaar on the grounds that it violated an individual's privacy, which was encompassed under Article 21 of the Constitution of India.

While assessing the legality of Aadhaar, the Supreme Court raised the question of what constituted the Right to Privacy. While doing so, it was held that if the State could adhere to certain parameters of a legislation, it could impose restrictions on fundamental rights. That is when the question of legislation on Data Protection arose, with the committee being formed to deliberate upon it.

Justice Srikrishna then raised the question regarding protection of property and whether all personal data could be constituted as personal property requiring protectioin.

"As far as property is concerned, such as land, movable property, it is all protected vide certain legislation. Now, take for instance, my name. If that's my property, can I rent it out? Can I sell it in the market? Can I gift it? Therefore, it's not necessary to presume that there's always a proprietary relationship between data and an individual."

On the topic of consent, Justice Srikrishna referred to contractual relationships wherein multiple prerequisites exist before one enters into it. For instance, the Mohori Bibee case lays down the law that minors cannot enter into a contract. However, consent is different when it comes to data protection.

"When you enter a mall, there are CCTVs. Or when you are on the road, there are speed monitors which note your license plate. You might question whether your video is being taken, or your information is being noted, with your consent. The legal principle which arises here is that there are certain situations where consent is presumed."

Justice Srikrishna also talked about the need for a Regulator in order for the effective implementation of the Personal Data Protection Bill.

"Data is being processed all the time. There were questions which no one had ever thought of being brought to the fore. And this is where the Data Protection Authority comes in and their job is to ensure there is no breach of data."

He further enumerated what constitutes as "breach of data".

"Breach of data is unauthorized access to data or corruption of data or non-updation of data. This is the duty of the Regulator – to make sure there is no breach."

At the advent of the data protection statute, the person whose data was being taken was called the "data subject". However, this nomenclature was changed to "data principle", with the one taking the data being called "data fiduciary" in order to denote a trustworthy relationship between the two entities.

Justice Srikrishna then enlightened the participants of the webinar by explaining the limitations on the usage of personal data that might be extracted from a data principle by a data fiduciary. These limitations can be categorized into "purpose limitation" and "time limitation".

"Purpose limitation is one concept which limits the purpose for which data is used. So, if your data is taken for a particular reason, it can only be used for that purpose and not for anything else without your consent. Then there is time limitation, which comes with a proviso. This means that your data can be stored only a limited time period. Once the limitation is over, the data has to be deleted."

With regard to the rights that were possessed by the data principle, Justice Srikrishna explained that there were five rights given to the data principle:

"The right to ensure that the personal data remains secure, the right to ensure that the personal data remains uncorrupted, for the data to be deleted as per the limitations, for the data to be used only for the purpose for which it is given, and for the data to be only used by the data fiduciary."

Delving into circumstances wherein data can be taken away without consent of the data principle, Justice Srikrishna referred to situations such as that of the COVID-19 pandemic.

"Assuming it is not a situation of presumption of consent, there are other situations where data can be taken without consent. Take for instance, the situation of COVID. Data is necessary for statistical probability. If someone wants to do research on impact of COVID, they will need data on it. This is where the aspect of 'data anonymization' comes in, where only numbers are taken, and no personal information is utilized."

Apart from 'data anonymization', Justice Srikrishna also referred to "pseudonymization" which replaces the identity of the data in a way that additional data or information is required to identify the original data principle.

Justice Srikrishna then spoke on different aspects which could be covered by the law Personal Data Protection, such as the protection of whistleblowers in private firms, processing and storage of data which needs to be done with the consent of the principle et al.

While discussing the breadth of the Bill and the fine line that had to be drawn between Right to Privacy and access to data, Justice Srikrishna referred to the tests which were laid down in the Justice K. Puttuswamy case that had to be satisfied if the State was breaching the Right to Privacy:

"The first step is that there must be a legislative enactment which must categorically explain the purpose for collection of data. Then there is also the need for a rational connection between the object and the breach. There should be no absurdity in the connection between the accessing of data and the purpose for its collection. There is also need for proportionality; the law should not go above and beyond what is absolutely required. Last, it should be the least repressive alternative mechanism."

On the question whether the State could access the data of a person who was a suspect, Justice Srikrishna stated that the State could do so and the legislation should have a strict methodology on how it must be done. Herein, Justice Srikrishna condemned the revised PDP Bill, 2019 for removing safeguards on protection of personal data for use by the State.

"Unfortunately, in my opinion, PDP Bill 2019 has watered down this provision which allow the State to unilaterally infringe the Fundamental Right to Privacy in the name of sovereignty and security. Hopefully, the 32 wise men in Delhi will ensure that this right is not infringed. The State can take away your rights, only if it can ensure that it is doing so for the greater good of the public. It was a positive move on behalf of the State to make Aarogya Setu not mandatory."

On the transfer of data, Justice Srikrishna elaborated upon two aspects which could find meaning in the General Data Protection Regulation (European Union's digital privacy legislation). First is the "adequacy decision" which entails for data to not be transferred across the border or to a party outside without authorization of the data principle. Second, there is the deletion of data which gives the right to a data principle to be forgotten; the right to erasure.

Justice Srikrishna also referred to "privacy by design" which technically means that every company must have a policy in place or at least the means to educate their employees on data privacy. They should also have the infrastructure to protect personal data.

He further noted certain lacunae in the PDP Bill 2019, such as the lack of a definite date of commencement and no data localization policy. Also:

"An innocuous section has been added which intends to control all social media intermediaries such as WhatsApp etc. in a bid to allegedly protect the data principle. However, it only ends up taking away provisions which are meant to emancipate the principle with remedies."

With these observations on the issue of personal data protection in India by Justice Srikrishna, the enlightening webinar came to an end.