Revised Personal Data Protection Bill Allows The State To Unilaterally Infringe Right To Privacy In The Name Of SovereigntyAnd Security :Justice BN Srikrishna

"Unfortunately, in my opinion, Personal Data Protection Bill 2019 has watered down this provision which allow the State to unilaterally infringe the Fundamental Right to Privacy in the name of sovereignty and security. Hopefully, the 32 wise men in Delhi will ensure that this right is not infringed. The State can take away your rights, only if it can ensure that it is doing so for the greater good of the public. It was a positive move on behalf of the State to make Aarogya Setu not mandatory.", Former Supreme Court Judge Justice BN Srikrishna said in Webinar on the topic "The Challenges in Personal Data Protection in the Absence of any Data Protection Law in India"Justice Srikrishna had chaired a committee which had been set up by the Ministry of Electronics and Information Technology in 2017 to study issues regarding the regulation of data protection. The committee had accordingly drafted the Personal Data Protection Bill, 2018. However, a revised version was approved by the Cabinet Ministry in 2019 as the Personal Data Protection Bill, 2019, and this has come under criticism from proponents of Right to Privacy, with Justice Srikrishna stating that it had the ability to turn India into an "Orwellian State". The webinar commenced with Justice Srikrishna underlining the importance of technology during the COVID-19 pandemic. He then focused on the value of our personal data which was being monetized by e-commerce entities wanting to expand their customer reach. "Our data gives an edge to e-commerce portals and allows them to reach their customers. Therefore, our data has value; huge monetary value. In our country, there has been a huge debate on this issue, and the Supreme Court has given contradictory views on this". Referring to the foundation of Right to Privacy in India, Justice Srikrishna referred to the time when Government of India had introduced the biometric system, Aadhaar. Proponents of Right to Privacy challenged the mandatory institution of Aadhaar on the grounds that it violated an individual's privacy, which was encompassed under Article 21 of the Constitution of India. While assessing the legality of Aadhaar, the Supreme Court raised the question of what constituted the Right to Privacy. While doing so, it was held that if the State could adhere to certain parameters of a legislation, it could impose restrictions on fundamental rights. That is when the question of legislation on Data Protection arose, with the committee being formed to deliberate upon it. Justice Srikrishna then raised the question regarding protection of property and whether all personal data could be constituted as personal property requiring protectioin. "As far as property is concerned, such as land, movable property, it is all protected vide certain legislation. Now, take for instance, my name. If that's my property, can I rent it out? Can I sell it in the market? Can I gift it? Therefore, it's not necessary to presume that there's always a proprietary relationship between data and an individual." On the topic of consent, Justice Srikrishna referred to contractual relationships wherein multiple prerequisites exist before one enters into it. For instance, the Mohori Bibee case lays down the law that minors cannot enter into a contract. However, consent is different when it comes to data protection. "When you enter a mall, there are CCTVs. Or when you are on the road, there are speed monitors which note your license plate. You might question whether your video is being taken, or your information is being noted, with your consent. The legal principle which arises here is that there are certain situations where consent is presumed." Justice Srikrishna also talked about the need for a Regulator in order for the effective implementation of the Personal Data Protection Bill. "Data is being processed all the time. There were questions which no one had ever thought of being brought to the fore. And this is where the Data Protection Authority comes in and their job is to ensure there is no breach of data." He further enumerated what constitutes as "breach of data". "Breach of data is unauthorized access to data or corruption of data or non-updation of data. This is the duty of the Regulator – to make sure there is no breach." At the advent of the data protection statute, the person whose data was being taken was called the "data subject". However, this nomenclature was changed to "data principle", with the one taking the data being called "data fiduciary" in order to denote a trustworthy relationship between the two entities. Justice Srikrishna then enlightened the participants of the webinar by explaining the limitations on the usage of personal data that might be extracted from a data principle by a data fiduciary. These limitations can be categorized into "purpose limitation" and "time limitation". "Purpose limitation is one concept ...

Revised Personal Data Protection Bill Allows The State To Unilaterally Infringe Right To Privacy In The Name Of SovereigntyAnd Security :Justice BN Srikrishna

Radhika Roy

Tags