Recently, a bug in Airtel’s mobile application put the personal data of 300 million users at risk. Ankita, a millennial, who has all her financial information saved on apps, was scared that her card details may have been leaked. In the age of the internet, where everything is available upon a click, data security and privacy have become important issues.
In order to ensure that India has a robust legal system governing and regulating data privacy, the Personal Data Protection Bill, 2019 (PDP) was introduced in the Lok Sabha on December 11, 2019. The Bill is currently before a Parliament select committee for vetting. The Bill aims to create a Data Protection Authority to ensure security and privacy of a person’s data available online.
This article highlights the key features of the Bill and how it aims to protect your personal data, and options available to the individual to ensure his data is protected and avail redressal in case of a leak.
These are the central provisions of this Bill:
Data Principal: The individual whose data is sought to be collected.
Data Fiduciary: The service provider who determines the purpose and manner of data processing. For example, Google collects its users’ information and then determines what such information is going to be used for (for example, for generating more advertisements). Fiduciary is defined as the person or organization that acts on behalf of another person or persons to manage assets, in this case personal data. E-commerce companies, for instance, would fall under this definition.
Data Processor: The entity which processes the data on behalf of the data fiduciary. For instance, Google collects information from its users and then sends it to a third party to process the same. Google will be the data fiduciary while the third party will be the data processor. If Google or Facebook both collect, determine the purpose and process the data themselves, then they will be both data fiduciaries and data processors.
Personal Data: This is defined as data which is directly or indirectly used to identify a person. For instance, one’s name, address, phone number, Aadhaar card number etc.
We can understand these terms better with an example: Let us say, you enter your phone number while registering for an app. This phone number is collected by one ABC Ltd (fictional) for the purposes of sending you notifications of their offers. ABC Ltd. is a data fiduciary in this case. However, if ABC Ltd does not have the necessary infrastructure to store large amounts of data and hires the services of another XYZ Ltd to store your data on the latter’s servers, XYZ Ltd is the data processor. You, the person whose data is being collected, is the data principal.
Applicability of the law
The Bill when passed will be applicable to the processing of personal data by the government, companies incorporated in India and foreign companies, if the data is processed in connection with business activities being carried out in India or is collected for the purpose of data profiling of individuals in India.
Obligations of Data Fiduciary/Service Provider
Processing of personal data should be only for a clear, specific and lawful purpose. Personal data should be processed in a just, fair and reasonable manner and only for
a) the purposes consented to by the individual
b) a purpose, incidental to the purposes consented by the individual or
c) For a purpose which the data principal reasonably expects the data to be used for.
A notice must be sent to data principals at the time of collection of personal data.
A data fiduciary or service provider should take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.
Personal data collected should be retained only till it satisfies the purpose for which it was collected and deleted thereafter.
Consent should be obtained from the data principals at the time of commencement of data processing. Such consent, should be free, clear, specific and capable of being withdrawn.
Rights of the Individual/Data Principal
The individual or data principal has certain rights under the Bill. These are:
- Receiving confirmation from service provider on the processing of personal data
- The data principal has the right to seek correction of personal data which is inaccurate, incomplete or obsolete. This right will ensure erasure of data which is no longer useful for the purpose for which it was initially collected.
- Transferring personal data to any other service provider under certain circumstances
- Restricting disclosure of their personal data by a fiduciary, if the purpose of processing is over or the consent is withdrawn.
An individual who believes her/his rights have been compromised can raise this with the service provider. Such a person can either utilise the in-built complaint and feedback mechanism, which is usually offered by the service provider, or e-mail them his complaint if such a mechanism is not available. In case of non-compliance, the aggrieved person can approach the proposed Data Protection Authority for enforcement of his right under the framework of this bill.
Data Protection Authority
The Bill envisages the creation of a Data Protection Authority which, inter alia, is required to protect the interest of individuals, prevent misuse of personal data and ensure compliance with the Bill. This authority shall be comprised of six whole-time members. These members will be appointed by a committee which consists of the Chief Justice of India or any other Supreme Court judge nominated by him, the Cabinet Secretary and one expert of repute.
Processing personal data without consent
In certain circumstances, personal data can be processed without consent. These include:
- if it is required by the State for providing benefits to the individual
- in legal proceedings
- to respond to a medical emergency. For instance, admitting a patient to a hospital under emergency conditions
- to provide assistance during disaster
- under any law for the time being in force made by the Parliament or any State Legislature.
Social Media Intermediaries
Online media platforms which enable interaction among users above a notified threshold will now have certain obligations, such as a voluntary user verification mechanism for users in India. For instance, Facebook will now be obliged to verify its users before it allows them to use its apps.
Transfer of data outside India
The Bill permits the transfer of sensitive personal data outside India, unless explicit consent is obtained from the individual. However, such sensitive personal data should continue to be stored in India. There are certain categories of personal data classified as critical personal data which can be processed only in India. While the bill and the report which was released with the bill are both silent as to what constitutes one’s critical personal data, it can be presumed that information like medical records, financial information etc come under the scope and ambit of this term.
The Bill permits the central government to exempt any of its agencies from the provisions of the Act inter alia, in the interest of security of state, public order, sovereignty and integrity of India and friendly foreign relations. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as prevention, investigation, or prosecution of any offence, or personal, domestic or journalistic purposes.
Sharing of non-personal data with government
The central government may require data fiduciaries to provide it with any
- Non-personal data and
- Data which cannot be used to identify individuals for better targeting of services.
Personal Data of Children
Data fiduciaries are required to verify the age of a child and obtain consent of his/her parent or guardian prior to processing personal data pertaining to children. Operators of sites directed towards children such as Facebook Messenger Kids and Funology are classified as guardian data fiduciaries. These service providers are prohibited from tracking, profiling or carrying out any other targeted advertising which may harm the interests of children.
Transparency and Privacy Design
Service providers are required to prepare a privacy by design policy, which will include the technology used in processing of personal data, obligations of data fiduciaries, technical systems designed to identify, anticipate and avoid harm to the data principal and legitimate interests of businesses. Data fiduciaries are required to observe transparency in their data processing and are required to make available certain information such as categories of personal data collected and purpose of processing data.
The service provider is also required to report breach of data to the Data Protection Authority, as soon as possible and the Data Protection Authority, can then, depending upon the severity of the impact, inform the individual of the breach of his personal data. This safeguards the privacy of the data principal and allows them to take appropriate and timely measures to nullify the effect of breach and approach DPA in case of any serious violation.
The Data Protection Committee Report points out that usually fiduciaries are reluctant in reporting a breach to avoid any sort of liability and adverse publicity, and this is essentially the reason why a legal obligation to report data breaches is necessary.
Have concerns? Write to the committee
To summarise, personal data includes any information which may be used to identify an individual. The Bill will create a proper process around the collection and processing of such data by private and public entities. A clear, free, specific and informed consent of the individual will be required. A notice will usually be given before the intended collection begins.
Individuals, whose data are being collected, will have several rights including the right to demand erasure of their data and the right to restrict the continuing disclosure of their data. Creation of a data protection authority will create a centralised regulatory authority and will speed up the resolution of issues pertaining to data privacy.
However, what is alarming about this Bill are the sweeping exemptions which have been provided to the government in the name of national security and welfare services. Justice Srikrishna, who had early last year headed a committee that laid down the structure for the Bill, expressed concern over these provisions and stated that such blatant powers without the presence of any safeguards, could lead to India becoming an ‘Orwellian’ State.
Having said that, it is still significant that India is aiming to enact a piece of legislation pertaining to data protection. This will go a long way in regulating data collection and processing by public and private entities and will give more power in the hands of the individuals whose data is being collected. In order to make the process more inclusive, the government has invited comments from all relevant stakeholders. These comments may be submitted to the Joint Parliamentary Committee by February 25, 2020. You may submit your comments by sending them in an e-mail to email@example.com or to firstname.lastname@example.org