Lalima Gupta, UILS, Punjab University
Shashwat Raj, Asian Law College
Rajat Maheshwari, NLC Bharti Vidyapeeth University Pune
Editor : Sheetal Sharma, Faculty of Law, University of Delhi
“Privacy is not something that I’m entitled to, it’s an absolute pre-requisite”
Since the inception of documentation, data privacy has been of utmost concern. Authorities would mark a set of data as confidential which could be limitedly used for authorised purpose which in present times is known as ‘personal data’. But why do some set of characteristics of our lives become so evidently important as to its unauthorised access makes others culprit? Well, the statement answers for itself. Some attributes of our lives define our existence. Any act by any person that jeopardises that attribute actually puts our own existence in jeopardy. Now, when our lifelines are ‘online’, we do everything digitally. Making government document, paying bills, shopping, connecting, surfing, learning, all these activities may expose our personal data, fiscal facets and privacy rights prone to predators and exposing it to high risk of hacking and fraud. This problem magnifies when the data is saved in a remote server on an anonymous computer source as it not only becomes difficult to identify the source of fraud, but to search methods to eliminate it. Problematically, the existing IT Act, lacks the capability to deal with the evolving needs of current situation. The government after focussing on dynamism and gravity of the issue introduced the Personal Data Protection Bill, 2019 which emphasise on the need of consent and remedies ignorance.
The aim of which is presented in the opening lines of the bill which reads as follows:
“WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy; AND WHEREAS the growth of the digital economy has expanded the use of data as a critical means of communication between persons”
The need of the hour
There are countless examples where considering the present scenario the privacy of an individual can be put to risk which ultimately will be the violation of article 21 of the constitution. Which makes this bill the need of the hour. The recent one being Aarogya Setu App. After the COVID-19 pandemic, the government launched its own application- Aarogya Setu [(setu)bridge to being(aarogya)disease-free]. Functionally, the app is to track your every movement and update its functioning after every 15 minute; in case you come in contact with any of the infected person or you as an infected person meet anyone, the app through Bluetooth technology will inform you and other user of the danger. The concern here is about personal data being available, processing and utilised without any acquired consent (the precautions so taken somehow leave a lacuna thus endangering the data of ‘mandatory’ users). Enforcing of the bill can now help the victims who if wish to sue the government for this breach can legally held them responsible.
Areas covered under the Bill
Additional restrictions of data entities
The bill places additional responsibilities on data entities processing all the data. All the data fiduciaries are required to implement security safeguards such as data encryption and prevent misuse of data and they must set up a grievance mechanism to address complaint of individuals.
It also covers Institute mechanism for age verification and parental consent while processing personal data of children. Further, social media intermediaries with user above a certain limit and whose actions can impact electoral democracy or public order, must provide voluntary user verification mechanism for users in India.
Personal data, Sensitive personal data and Critical personal data
Personal data protection bill has created various sub categories on the personal data like sensitive personal data, critical personal data and personal data. The sensitive personal data further subcategories the data belonging to children and to adults because the children are much more vulnerable than adults, so by categorizing personal data into various categories the administrational impact and the privacy enforcement becomes easier.
How does the bill affect other areas of law?
Data is like water, if not given direction it will overflow. Once this bill is enacted, it will replace Section 43 of Information Technology Act, 2000 which talks about penalty and compensation for extracting individual's personal data stored in computer. It also replaces IT rules 2011 which is called "Reasonable security practices and sensitive personal data or information." The 2011 rules have been framed under Section 43A of Information Technology, 2000.
Other areas of Law-
1) Banking and Finance Law-
As Corona virus spreads and taking precious lives. People are cautious of going outside and using digital platforms for daily needs. As marketing through e-commerce websites increases, sensitive data of public tends to get vulnerable and thus compromise. First, these companies promise their users that they give utmost priority to safeguard their data and at second they steal and sell user data in order to know market position.
2) The Right to Privacy
On August 2017, Supreme Court declared Right to Privacy as fundamental right which is incorporated in Article 21 of Indian Constitution. After introduction of this bill, eyebrows have been raised in the drafting committee. The chairperson of the drafting committee of the original bill of 2018, Justice B.N Srikrishna who conducted the study and submitted the draft criticized the revised bill and said that "The government wants to intrude into private data of its citizens citing sovereignty and public order." He further added that this law may violate the fundamentals of democracy i.e. "Right to Privacy."
Factors which can facilitate this bill to be a success- Recommendations
Firstly, this bill will require affective regulation of the authority as prescribed indirectly. Secondly, the companies must have Indian office as prescribed in IT intermediary rules as well as grievance mechanism system will also be required so that individuals are the collective users and have the grievance redressal.
In the Consumer Protection act, there is provision for the class action suit so in that type of data violation, that provision should also be incorporated in the new bill so that collectively users can sue all the claim compensation against the corporate.
The government can collect data of users without much restraint and use this data in opaque ways. Besides, the Bill doesn't stick with the Supreme Court ruling on the proper to privacy within the Puttaswamy judgement which mandates government and authority to declare specific objectives for gathering or collecting personal data.
A recent Pegasus-WhatsApp interception scandal is often taken as an example of this. Under the proposed Bill, the government could empower a security agency, like the NSA, to undertake such an operation without contravening any laws.
Inclusion of non-personal data
The Bill further doesn't offer any explanation for the inclusion of non-personal data. As per the new Bill, the government can ask any company to offer it anonymised personal or non-personal data for policy formation and better delivery of services. The provisions in non-personal data should be included and the government should not be treated as omnipotent.
No judicial member within the DPA committee
The Data Protection Authority (DPA) team majorly comprises secretaries from the cupboard, Department of Legal Affairs and therefore the MeitY. This raises a serious concern about the DPA being independent of the government.
Impact on Companies
The Bill, if implemented in its current form, will have a three-fold impact on companies. It will mention a level of legal compliance which didn't exist earlier for the businesses. Thereby requiring companies whenever they gather data of users to put clear notices to users what data is being collected and what purpose it will put towards use. Businesses will need to revamp their data handling practices.
In reference to the utilisation of the info by the businesses, some companies are often exempted by the government.
The PDP Bill is a breakthrough to deal with the requirements of an evolving data protection regime of India. However, several aspects of knowledge protection (such as categorization of private data as sensitive personal data and important personal data, details on anonymized data, conditions from exemption from certain provisions of the PDP Bill, categories of SDFs, conditions for registration as a consent manager and processing of private data and sensitive personal data of children), which can be key to an efficient and successful implementation of the new regime, are delegated to the DPA and/or the Central Government. With the inclusion of other aspects that will bridge the gap in the bill, the bill could be perceived as futuristic but the important impact of the PDP Bill is going to be visible once the relevant rules and regulations are in place.
 Justice K.S. Puttaswamy (Ret'd) v. Union of India and Ors, WRIT PETITION (CIVIL) NO 494 OF 2012