The Personal Data Protection Bill is expected to be tabled in the Indian Parliament this summer, after the Lok Sabha elections 2019. Back in July last year, retired Indian Supreme Court Justice BN Srikrishna -led committee, formed with the idea to create a powerful data protection law in India, has submitted its draft bill to the Ministry of Electronics and Information Technology (MEITY).
This submission in July came after a year of consultations with various stakeholders, but it has been status quo since. There were great expectations from the recommendations of this committee, particularly after the European Union General Data Protection Regulation (GDPR) came into force in May last year. The draft bill, titled Personal Data Protection Bill, 2018 is important because of the increasing ambiguity over how a user’s data is protected, which still persists, when there is a greater push towards online services including by the government.
So, what do we know about the recommendations for the Personal Data Protection Bill 2018?
The bill, states that “Any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal.” Any and all personal data that is collected must be processed only for purposes that are clear, specific and lawful. The Data Protection Bill, 2018 also clarifies after any personal data is collected, it must be processed only for the purpose it was collected for in the first place.
This gains even more importance, as more and more instances of data misuse come to light. Facebook, for instance, has been regularly at the receiving end of criticism from governments, regulators and users for various data privacy mishaps since the Cambridge Analytica scandal revelations early last year.
For the data collection to be valid and legal, the Data Protection Bill, 2018 states that it is “free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872); informed, having regard to whether the data principal has been provided with the information required under section 8; specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing; clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given” The most important aspect of this clause perhaps is the last part, which talks about making it easy for the original owner of the data, that is you and I, to be able to withdraw the data that we may have shared in the first place, for whatever reason we may want to.
“The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose,” clarifies the Data Protection Bill, 2018. This means that a service provider (specified here as data fiduciary) cannot ask for any other data apart from what is strictly necessary to provide a service in return.
The draft Data Protection Bill, 2018 recommends that a data fiduciary, any State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data, if found to be violating the safeguards for sensitive personal data, will be liable for a penalty of up to Rs 15crore or 4 percent of the total worldwide turnover, whichever is more. If non-sensitive personal data safeguard terms are violated, then the penalty will be up to Rs 5crore or 2 percent of the annual turnover, whichever is more.
Incidentally, the Data Protection Bill, 2018 draft recommendation doesn’t seem to give the users any ownership of the data they share with companies or other individuals for a service or the right to erasure of data that was previously shared, for instance. This is in stark contrast to the Telecom Regulatory Authority of India (TRAI) recommendations on data sharing with any entity in the telecom sector. The TRAI recommendations clearly state “In respect of the ownership of personal data, the Authority is of the view that the individual must be the primary right holder qua his/ her data. While the right to privacy should not be treated solely as a property right, it must be recognized that controllers of personal data are mere custodians without any primary rights over the same.” This simply means that any data that you share with any company still belongs to you, and the companies don’t have any ownership or the right to use that without your permission.
The draft recommendations in the Data Protection Bill 2018 also include the ‘Right to be Forgotten’. The draft bill says, “The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure— (a) has served the purpose for which it was made or is no longer necessary; (b) was made on the basis of consent under section 12 and such consent has since been withdrawn; or (c) was made contrary to the provisions of this Act or any other law made by Parliament or any State Legislature.”
Where the data is stored is also touched upon. The recommendations suggest that data localization for personal data is mandatory, and every data fiduciary shall have to keep a copy of the data they collect on a server or data center located in India. This is applicable even if the data fiduciary is keeping another copy of the data set on a server located outside India.
It now remains to be seen how this bill stands the test of time, and the test in the Parliament.