The Winter Session of the Parliament has begun, and on the agenda for the session that goes on till December 13 are key bills, including the Personal Data Protection Bill, 2019. It was in July last year that the Justice BN Srikrishna-led committee submitted its draft bill to the Ministry of Electronics and Information Technology (MEITY). The idea being simple—to create a powerful data protection law in India. The draft was finalized after a year of consultations with various stakeholders and came just after the European Union General Data Protection Regulation (GDPR) came into force in May last year. The Personal Data Protection Bill, 2019 is important because of the urgent need to regulate data protection and data privacy, be it for online platforms, apps, social networks or even online services including by the government.
It is perhaps a good time to refresh our memory and take another look at what the Justice BN Srikrishna-led committee had recommended, in the draft bill then titled Personal Data Protection Bill, 2018. The recommendations state that “any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal.” Any and all personal data that is collected must be processed only for purposes that are clear, specific and lawful. The draft bill also clarifies any personal data that is collected must be processed only for the purpose it was collected for in the first place.
For the data collection to be valid and legal, the Data Protection Bill, 2018 states that it is “free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872); informed, having regard to whether the data principal has been provided with the information required under section 8; specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing; clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given” The most important aspect of this clause perhaps is the last part, which talks about making it easy for the original owner of the data, that is you and I, to be able to withdraw the data that we may have shared in the first place, for whatever reason we may want to.
“The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose,” clarifies the Data Protection Bill, 2018. This means that a service provider (specified here as data fiduciary) cannot ask for any other data apart from what is strictly necessary to provide a service in return.
The draft Data Protection Bill, 2018 recommends that a data fiduciary, any State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data, if found to be violating the safeguards for sensitive personal data, will be liable for a penalty of up to Rs 15crore or 4 percent of the total worldwide turnover, whichever is more. If non-sensitive personal data safeguard terms are violated, then the penalty will be up to Rs 5crore or 2 percent of the annual turnover, whichever is more.
Incidentally, the Data Protection Bill, 2018 draft recommendation doesn’t seem to give the users any ownership of the data they share with companies or other individuals for a service or the right to erasure of data that was previously shared, for instance. This is in stark contrast to the Telecom Regulatory Authority of India (TRAI) recommendations on data sharing with any entity in the telecom sector. The TRAI recommendations clearly state “In respect of the ownership of personal data, the Authority is of the view that the individual must be the primary right holder qua his/ her data. While the right to privacy should not be treated solely as a property right, it must be recognized that controllers of personal data are mere custodians without any primary rights over the same.” This simply means that any data that you share with any company still belongs to you, and the companies don’t have any ownership or the right to use that without your permission.
The draft recommendations in the Data Protection Bill 2018 also include the ‘Right to be Forgotten’. The draft bill says, “The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure— (a) has served the purpose for which it was made or is no longer necessary; (b) was made on the basis of consent under section 12 and such consent has since been withdrawn; or (c) was made contrary to the provisions of this Act or any other law made by Parliament or any State Legislature.”
Where the data is stored is also touched upon. The recommendations suggest that data localization for personal data is mandatory, and every data fiduciary shall have to keep a copy of the data they collect on a server or data center located in India. This is applicable even if the data fiduciary is keeping another copy of the data set on a server located outside India.