New Delhi: The Personal Data Protection Bill, 2019 introduced in the Lok Sabha earlier this week is with a joint parliamentary committee. The panel is to now vet the bill further and then submit a report to the Lok Sabha during the Budget Session next year.
Industry and law experts have welcomed the deliberation as a welcome move.
The 2019 bill has provisions that were absent in the 2018 draft prepared by the Srikrishna committee. For instance, the 2019 bill has extensive measures to protect citizens’ privacy and data, but it allows government agencies to be exempted from this law, effectively granting them impunity if an individual’s right to privacy is violated.
The bill also poses new challenges for social media firms including forced data-sharing.
ThePrint explains the Modi government’s contentious bill that has drawn criticism across the board, especially over a free reign to governmental agencies.
How the bill came about
In an age where data is the new gold and every public and private entity is clamouring to access more data, a data protection law is important to make sure a person’s right to privacy and data protection is not violated by these entities.
The need for a law addressing data and privacy protection arose from the Puttuswamy judgment, a 2017 Supreme Court ruling that reiterated privacy is a fundamental right. The verdict came in response to a petition by former Karnataka High Court judge K.S. Puttaswamy questioning the validity of biometric identification, Aadhaar.
Main features of Personal Data Protection Bill, 2019
Both the 2019 bill and the 2018 draft lay emphasis on the same issues: obtaining consent before accessing an individual’s data, penalties for violating the law, setting up a Data Protection Authority (DPA), and storage of most data collected in India within India.
The Srikrishna committee fashioned its draft along the lines of Europe’s data protection regime, the General Data Protection Regulation (GDPR).
The bill emphasises the importance of obtaining proper consent before accessing an individual’s data as nearly every company collects and monetises user data in one way or another.
According to the personal data protection bill, consent will be considered valid only if it has been obtained after satisfying the following criteria:
- The individual must have given consent freely and not due to any coercion.
- The consent must be gained after providing adequate information so that a user can make an informed decision.
- The request for consent specifies exactly what data will be used so that an individual need not give consent to access more data than required.
- The consent has to be gained clearly through an active prompt and not through a passive way like a pre-ticked box.
- It should be possible to withdraw consent as easily as it was given to process the data.
Hefty fines have been proposed for violating the bill’s provisions. For instance, the bill proposes fines up to “five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher” if an entity fails to take speedy and appropriate action in case of a security breach.
It also proposes fines up to “fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher” if the entity violates the bill on how data processing should happen, especially in the case of children’s data. This rule also comes into play if the entity violates the bill in how it handles transfer of personal data outside India.
Data Protection Authority
A Data Protection Authority (DPA) should be set up to oversee data related processing activity, proposes the bill, giving the body powers similar to that of a civil court.
At a November meeting of industry body Internet and Mobile Association of India (IAMAI), Shahana Chatterji, partner at law firm Shardul Amarchand Mangaldas, said the bill gives the DPA “very, very significant powers” and a “very impactful role” in shaping data protection framework.
However, Chatterji also questioned DPA’s ability to exercise these powers without government interference. Section 86 (2) of the bill says DPA is bound by central government-issued directions on “questions of policy”.
Data localisation — the process of storing data gathered in India within India — is a salient point in the 2019 bill, but has been changed slightly from the 2018 draft. The mandate for data localisation has been relaxed now.
The 2018 draft said a copy of all personal data gathered in India should be stored in India if it is transferred abroad. The 2019 bill adjusts this to say only personal data classified as “sensitive” or “critical” need be stored in India.
The bill leaves it up to the government to notify what counts as “critical” data.
“Sensitive” data can be sent abroad after obtaining consent from the individual owning the data. The bill’s includes financial, health and sex life data as examples in this category.
Notably, the 2019 bill has removed ‘passwords’ from what counts as sensitive due to advocacy of industry groups, a local industry body representative said on condition of anonymity.
The representative said a password doesn’t count as sensitive since it’s only used to verify a user. The groups had even pushed for financial data to be removed from definition of sensitive data to match global practices, the representative added.
Significant changes in 2019 bill
Government agencies can be exempted under the Personal Data Protection Bill, 2019.
“It’s like giving them a blank cheque to do what they want,” a member of the committee, which drafted the bill in 2018, told ThePrint on condition of anonymity.
The 2018 draft had said accessing data without an individual’s consent in cases like national security is permitted only if a law made by parliament allows it and is “necessary” and “proportionate” to any investigation.
The latest version says in cases like national security, the central government has the power to exempt agencies from all or some provisions including asking for prior consent to access data “by order” and by recording the reasons in writing.
The change comes even as the government was accused earlier this year of illegally spying on around 120 Indians, including prominent activist Bela Bhatia and lawyer Nihlasing Rathod, using spyware named Pegasus in the WhatsApp snooping case.
It was revealed that Pegasus was reportedly installed on victims’ phones through their WhatsApp account and used to access their messages and monitor location.
Legal experts have expressed concern over possible exploitation of India’s first privacy law by central government for its own benefit — especially for law enforcement purposes.
However, IT Minister Ravi Shankar Prasad denied these allegations in the Lok Sabha as “wrong”, “malicious” and “misleading”. “What we are doing is we are protecting the privacy of Indians,” Prasad said Wednesday.
Targeting data sharing and social media firms
Another major provision in the 2019 bill — absent in the 2018 draft — is the mandate to companies to give the government “anonymised or other non-personal data” for broad purposes like “better targeting of delivery of services or formulation of evidence-based policies”.
Anonymised data includes personal data that has been processed to remove any personal identifiers so that an individual’s privacy is maintained even if it’s shared with the government.
The bill does not specify if the government will pay companies for this data.
The government “claiming this data will rob many such [data-driven] businesses of their critical asset and may prove to be detrimental for many service providers”, the IAMAI said in a statement Thursday.
The bill also increases regulations for social media companies, in what may pose challenges to ease of doing business. Under the provisions, social media platforms can be notified as “significant data fiduciaries” since they impact election outcomes, national security, and public order.
It asks these entities to conduct annual audits of their policies and data processing methods. In addition social media firms labeled significant data fiduciaries will have to set up a mechanism for users to voluntarily verify themselves to reduce online anonymity and trolling.
Facebook (including WhatsApp and Instagram) and Bytedance (handling TikTok, Helo and Vigo Video) — two of the biggest social media firms operating in India — will be most affected by this mandate.