India opened up to the world in the 1990s through a series of economic reforms and liberalisation policies. The country enacted laws covering digital transactions a decade later with the Information Technology Act 2000. The IT Act has governed India’s data protection till now, but advancements in technology have exposed chinks in the regime. The progress of reforms in data protection and privacy norms have been tardy, to say the least.
Governments across the world have been trying to frame foolproof laws to deal with issues in cyber security. The formulation of the General Data Protection Regulation (GDPR) by the European Union acted as a catalyst in this regard. The GDPR, which took about 4 years to be formulated, intends to regulate the processing of personal data of individuals residing in the European economic area. This regulation has been updated to cover fresh challenges in the cyber security landscape .
It was in this backdrop that the 2019 bill on personal data protection was introduced in the Rajya Sabha. This bill defined personal data as data that may contain any personality traits that can be used to identify that particular individual. Sensitive personal data was defined to include data on financial health, sexual orientation, and biometric and genetic parameters.
The PDP Bill, however, did not talk about the concept of non-personal data. In fact, the Union government was empowered to direct any data fiduciary/controller or processor to furnish the former with anonymised personal data or non-personal data. Under the proposed law, the mobile app is called the data fiduciary, the advertiser interpreting the data obtained through the app is called the data processor and the person using the app is known as the data principal.
After much deliberation, it was decided that the PDP Bill be referred to a joint parliamentary committee to conduct a critical analysis of the provisions and provide suitable recommendations. India has not enacted any specific legislation on data protection. But certain amendments have been made in the Information Technology Act 2000 to include Section 43A and 72A, which provide the right to compensation in case of improper disclosure of personal information.
JPC on Data Protection Bill
The joint parliamentary committee was constituted on December 11, 2019 to study the provisions of the Personal Data Protection Bill. Though the committee was to present the report during the Budget Session of 2020, the report was tabled in December, 2021.
The report studied various sections of the 2019 Bill and came up with a draft bill titled the Data Protection Bill, 2021. The report tries to address a plethora of concerns with respect to data protection whilst keeping in mind recent judgements of the court regarding data protection and privacy. The key suggestions put forward by the report are as follows:
Non-personal data to be included: The most important takeaway from the joint parliamentary committee report is its decision to include the concept of non-personal data in the ambit of the personal data protection law. Simply put, non-personal data means any data that does not reveal the identity of an individual, such as a photo that is blurred beyond repair.
The committee was of the opinion that such non-personal data should also be included within the ambit of the bill because non-personal data can also affect privacy as well as keeping in mind the difficulty in distinguishing between personal and non-personal data. The committee was also mindful of the fact that it was impractical to constitute separate data protection authorities to deal with non-personal and personal data.
Importance to data of minors: The committee has also provided suggestions in order to improve privacy for children. It has provided a recommendation that children should be given the opportunity to re-evaluate their consent upon attaining majority, and that it should not be assumed automatically. It has also provided the suggestion that the provision for guardian data fiduciaries be eradicated. This would mean that every data fiduciary is prevented from profiling and tracking information relating to children .
Data regulation and privacy: The committee has reiterated the fact that data is extremely vital to the economy and that it must be regulated in such a manner that is in line with the economic interests of the country.
Surveillance by sovereign bodies: The committee has given the suggestion that the Union government may grant immunity from all provisions of this act to any agency that processes personal data in the interest of the sovereignty, security, and public order of the nation. It must be noted that several nations such as the US and UK have included such immunity clauses in their data protection laws in the interest of national security.
It also lays down an important safeguard which provides that while exempting a particular agency from legal liability for the above reasons, the government must formulate a proper procedure which must pass the test of justice, reasonability, and proportionality. This is an important step in order to prevent unreasonable exploitation of data of private citizens by government agencies.
Standardisation testing and quality certification (STQC): The committee has suggested that a provision be added to streamline the process of standardisation testing and quality certification to ensure the establishment is high-quality and has reliable software and hardware. This is critical because they are necessary to counter the exploitation of concealed backdoors planted by adversaries in resources such as databases and file servers.
Regulation of social media: The committee has also emphasised on the importance of regulating social media in order to curb the proliferation of fake news and misleading content. Earlier, social media companies have been granted immunity from the wrongdoings of users as long as it can be proved that they have not facilitated or modified the original content in order to cause discord. The committee has put forward certain recommendations to regulate social media companies by making them liable for the illegal actions of users through their services.
Gaping halls in JPC report
The JPC report is an honest attempt to address the concerns regarding data protection and privacy in the face of rising challenges in the cybersecurity domain. But there have been some drawbacks in the report which could potentially disrupt efforts towards the very end that the committee was striving for.
One major issue is with the system of regulation of data related to children. The regulation of data fiduciaries is structured in such a way that in order to ensure that data related to children is not profiled or tracked, one needs to identify the age of the user accessing any given website or app. This task of age-dating the entire internet is both troublesome and problematic.
The JPC has also tried to give more importance to economic growth and national prosperity with the draft bill, through the amendment of the long title of the bill to include the words to ensure the security and interest of the state as a major objective of the bill. This gives the appearance that the focus is primarily on data breaches and localisation instead of developing a holistic understanding of data protection as a concept.
Consent is often viewed as a foundational concept while drafting laws around data protection. In the Personal Data Protection Bill 2019, clause 12 provides that processing personal data without consent is permissible when such processing is necessary. The draft bill does not sufficiently define concepts like proportionality and legitimate purpose, and makes the situation worse by giving quasi-judicial entities the authority to process data without consent.
The JPC has also recommended removing the immunity given to data fiduciaries having intermediary status, such as social media companies. This is a positive development, but they are often overcome by the demand for verification of social media users for action to be taken against them in case of misconduct. This is because verification of social media users requires collecting more data about the users by social media platforms, and will heighten user surveillance.
Moreover, the JPC has given greater immunity to government agencies while collecting and processing data of individuals in order to safeguard the safety and security of society. But the draft bill, unlike the Privacy Code, does not regulate surveillance. Therefore, the exceptions given in the former act apply only to the conditions under which the data was gathered. There is no legal framework to regulate cases of intersection and mass surveillance technologies such as facial recognition as of now.
The committee also suggested the formulation of a data protection authority to look into matters that come under the purview of the law. However, the way in which the data protection authority is structured itself gives greater power to the Union government. For instance, clause 42 of the bill of 2019 states that the selection committee that oversees the appointment of members of the data protection authority shall solely consist of members of the executive.
This gives enormous power to the government over the authority. It is also given in clause 86 of the PDP bill that the Data Protection Authority shall be bound by the Union government’s decision on questions of policy. The JPC report has amended this to bring all the cases of the Data Protection Authority as well under the control of the Union Government. Therefore, there is no real independence in the workings of the proposed Data Protection Authority.
Much of the criticism of the Bill comes from the JPC itself. In fact 8 members of the JPC including Jairam Ramesh, Derek O’Brien and Mahua Moitra filed dissent notes against the bill, stating that the reports suffer from an inherent design flaw and that it gives blanket exemption to government agencies. They argue that the access to private data at such a large and unbridled scale would result in excessive control by the state over citizens.
Judicial approach towards data protection
One of the most noticeable changes in the draft data protection bill is in the Preamble. The JPC has privileged digital economy over data protection and has continued with large parts of the 2019 version that place economic interests at the same level as informational privacy. The emphasis is on promoting a digital economy through legislation on data protection so that it fosters sustainable growth of digital products and services.
This follows the same approach adopted by the expert committee on data protection headed by Justice B. N Srikrishna. The latter report prioritises economic benefits over the rights of citizens. This is in contravention to the view put forward by the Supreme Court in the case of Justice K. S Puttaswamy vs Union of India (2017).
In this case, 91 year-old High Court justice Puttaswamy filed a case against the Union of India to ascertain whether the right to privacy was guaranteed as an independent fundamental right, following the decision of the government to make registering in the Aadhaar scheme a prerequisite for access to government services and benefits.
This led to the establishment of a nine judge bench of the supreme court to look into this matter of grave importance and it was held unanimously by the bench that the right to privacy is a constitutionally protected right in India and is incidental to other freedoms guaranteed by the Indian Constitution.
Through this judgement, the Court reiterated the prime importance of privacy as a fundamental right in the Indian Constitution and decreed that no person shall be deprived of the same except according to procedure established by law . Therefore, the JPC report suggestions prioritising economic benefits over citizen rights has made the entire draft data protection bill questionable on the grounds of being violative of the fundamental principles of the Constitution of India.
Difference with EU laws
While drafting laws in order to govern a particular domain of issues, one must be careful to compare and contrast it with similar legislations in other parts of the world so that the existing lacunae in our laws may be eradicated. The Data Protection Bill 2021 is an ambitious attempt at regulating data collection and privacy issues associated with it. Therefore, it becomes imperative to have some kind of comparison with the European Union’s General Data Protection Regulation.
According to the GDPR, users must have informed consent about the way the data is processed. In the data protection bill it is stated that processing of data should be done in a transparent manner while also ensuring privacy.
The implementation of the GDPR is expected to be conducted in phases. There is a two year transition period for the provisions of this regulation to be put in place. Whereas in India, though the two-year transition period is there, data fiduciaries are given a period of 9 months for registration and the Data Protection Authority has been given a period of six months to start.
In the European Union law, a data fiduciary can be defined as any natural or legal person or public authority or body that determines the purpose and means of data processing. In India there is an additional provision to include data processing NGOs as well.
The key differences between the two legislations are in dealing with non-personal data and punishment turns. In India it is given that non-personal data will come under the purview of the data protection law, while in European Union law, anonymous information is not included under data protection laws because it is impossible to distinguish one from another.
In the European Union law there is no jail term as such. There is only a fine of up to 20 million euros or 4% Global turnover of the preceding fiscal year, in case of an undertaking. In India there is a jail term extending up to three years, a fine of rupees 2 lakh or both if the de-identified data is re-identified by any person.
The way ahead
The Draft Data Protection Bill 2021 is a significant part of the Joint Parliamentary Committee Report, originally intended to critically analyse and evaluate the Personal Data Protection Bill 2019 which was introduced in the Parliament in December 2019. The bill was partly influenced by the global consensus on the need to regulate the collection and processing of consumer data, as well as the introduction of the General Data Protection Regulation (GDPR) by the European Union in 2018, following a 4 year period of deliberation and discussion.
Though the bill entails detailed provisions like those to ensure the protection of both personal and non-personal data of citizens as well as the protection of privacy of children, there are certain drawbacks. For instance, there is total immunity given to central government agencies for obtaining data and processing it, in view of the safety and security of the nation- a condition which many consider an excessive exemption and violative of the fundamental rights of citizens.
There is also a concern that the preference given to economic benefits over informational privacy is in contravention to the Supreme Court’s view regarding privacy, as put forward under the K. S Puttaswamy v Union of India case (2017).
The bill is at risk of becoming antiquated in some respects, due to the fact that it is rooted in Web 2, the mainstream centralized form of the internet. It should also focus on Web 3, the decentralized form of internet, which is based on blockchain technology, cryptocurrency or both, known as crypto economic protocol. This would go a long way in ensuring that the bill will be able to deal with the latest challenges to data protection as well.
(Akhil Joseph Mathew is a student at Rajiv Gandhi National University of Law, Punjab.)