From UPSC perspective, the following things are important :
Prelims level : Right to Privacy
Mains level : Personal Data Protection Bill
The Joint Parliamentary Committee (JPP) on the Personal Data Protection Bill of 2019 is said to have adopted the final draft. The Bill will be tabled in the Winter Session of Parliament.
What is Personal Data?
- Data can be broadly classified into two types: personal and non-personal data.
- Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
- Non-personal data includes aggregated data through which individuals cannot be identified.
- For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data.
What is Data Protection?
- Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Why was a bill brought for Personal Data Protection?
- In August 2017, the Supreme Court had held that Privacy is a fundamental right under Article 21 of the Constitution.
- The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy.
- In July 2017, a Committee of Experts, chaired by Justice BN Srikrishna, was set up to examine various issues related to data protection in India.
- The committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.
How is personal data regulated currently?
- Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000.
- The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.
Issues with IT Rules, 2011
- The IT rules were a novel attempt at data protection at the time they were introduced but the pace of development of digital economy has shown its shortcomings.
- For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract.
- Further, the IT Act applies only to companies, not to the government.
What does the Personal Data Protection Bill provide?
- Collection and storage: The bill regulate personal data related to individuals, and the processing, collection and storage of such data.
- Data Principal: Under the bill, a data principal is an individual whose personal data is being processed.
- Data fiduciary: The entity or individual who decides the means and purposes of data processing is known as data fiduciary.
- Data processing: The Bill governs the processing of personal data by both government and companies incorporated in India.
- Data localization: It also governs foreign companies, if they deal with personal data of individuals in India.
- General consent: The Bill provides the data principal with certain rights with respect to their personal data. Any processing of personal data can be done only on the basis of consent given by data principal.
- Data Protection Authority: To ensure compliance with the provisions of the Bill, and provide for further regulations with respect to processing of personal data of individuals, the Bill sets up a DPA.
Issues with the PDP Bill
- Exemptions to the govt: Section 35 of the bill permits the Central Government to exempt any agency of the Government from the provisions of the law.
- No reasonable exemptions: There is no sufficient reason for government agencies to be exempted from basic provisions of the Bill.
- Easy breach: Though this would be subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government.
- Executive hegemony: There is no scope for oversight over the executive’s decision to issue such an order.
- Arbitrary and intrusive: As demonstrated by the Pegasus case, the current frameworks for protecting citizens from arbitrary and intrusive State action lack robustness.
Why is the state given exemption?
- Biggest needy of Data: The State is one of the biggest processors of data, and has a unique ability to impact the lives of individuals.
- Welfare objectives: It has a monopoly over coercive powers as well have the obligation to provide welfare and services.
Issues with Exemption to State
- Grounds of expediency: the use of this provision on grounds of expediency is an extremely low bar for the Government to meet.
- Non requirement for exemption order: There is no requirement for an exemption order to be proportionate to meeting a particular State function.
- No oversight on executive actions: There is no scope for oversight over the executive’s decision to issue such an order or any safeguards prescribed for this process.
- State surveillance: Section 36(a) of the Bill provides for an exception where personal data is being processed against criminal investigation. This provision could therefore encourage vigilantism or enable privatized surveillance.
Best practices followed across the world
- The European GDPR (General Data Protection Regulation) is commonly seen as the pinnacle of data protection regulation worldwide.
- The EU law has in place a separate law that deals with the processing of personal data by law enforcement agencies.
- UK’s Data Protection Act dedicates Part 3 that liberalises certain obligations while at the same time ensuring that data protection rights are also protected.
- Balancing privacy interests with those of public needs (such as that of State security) is a difficult task.
- This should undergo rigorous consultations in Parliament taking into confidence all stakeholders.
- Once debated in Parliament, one can only hope that adequate time and attention is given to finding a better balance between competing interests.