Personal Data Protection (PDP) Bill

In News: ‘No data is permanently anonymised’: Experts warn of re-identification risks.

• Non-Personalised Data like Browsing Pattern can also be used by fiduciaries to detect the behavioural patterns of individuals.
• Thus even Non-personal data can be used for deducing personal traits and requirements.
• It is in conflict with Right to Privacy.

Personal Data Protection Bill

• It is India’s first attempt to domestically legislate on the issue of data protection.
• The Bill derives its inspiration from a previous draft version prepared by a committee headed by retired Justice B N Srikrishna.
• Data Fiduciaries: The 3 categories of Data created by the Bill are
  • Personal data: Data from which an individual can be identified like name, address etc.
    • No Data Mirroring is required.
    • Individual consent will suffice.
  • Sensitive personal data (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
    • To be stored only in India.
    •  It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
  • Critical personal data: Anything that the government at any time can deem critical, such as military or national security data
    • Critical personal data must be stored and processed in India.
  • Non Personal Data: The Bill mandates fiduciaries to provide the government any non-personal data when demanded.
    • The ‘data fiduciary’ may be a service provider who collects, stores and uses data in the course of providing such goods and services.
    • Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
    • The previous draft did not apply to this type of data, which many companies use to fund their business model.
• Impact on Social Media Companies: Significant Data Fiduciaries (the fiduciaries with huge volume and processing sensitive data) have to develop their own user verification mechanism.
  • It will reduce anonymity of users and decrease trolling, fake news and cyberbullying.
• Exemptions for Data Processing without consent: They have been provided for reasonable purposes like
  • Security of the state.
  • Detection of any unlawful activity or fraud.
  • Whistleblowing.
  • Medical emergencies.
  • Credit scoring.
  • Operation of search engines.
  • Processing of publicly available data.
• Creation of Independent Regulator: The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition making.
  • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
  • The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
• Control Over Data: It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
  •  The right to be forgotten is also given.
  • With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
• Penalty: The Bill stated the penalties as: Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
  • Also, the company’s executive-in-charge can also face jail terms of up to three years.

Need

• Law Enforcement: Data localisation can help law-enforcement agencies access data for investigations and enforcement.
  • Cross-border data transfer of data  through individual bilateral “mutual legal assistance treaties” is a cumbersome process.
• Cyber Security: Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
• Curbing Fake News: Many instances like lynching, national security threats, etc can now be prevented in time.
• Data Sovereignty: Data localisation will also increase the ability of the Indian government to tax Internet giants.

Criticism

• No relevance of Localised Data: Few critics point out to the fact that even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
• Open Ended Definitions: National security or reasonable purposes are open-ended terms, this may lead to intrusion of state into the private lives of citizens.
• Criticism from Tech Giants: Facebook and Google have criticised protectionist policy on data protection (data localisation) on ground of Domino Effect.
• Against Ethos of Free Market: Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
• Difficulties for Indian Startups: Due to higher compliance cost, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.
• Reidentification Risks: With growing technology, now browser data itself can be used to derive personal conclusions which is threatening Right to Privacy.

Way Forward

• The prime challenge is to balance between the growth opportunities posed by Free Data and Right to Privacy as Fundamental Right as declared by Puttaswamy Judgement 2017.
  • In this context, India must promote Data Localisation with care and by more scientific and organic categorisations.
  • The open ended definitions must be clearly defined.
• The Localised Data will also help new entrepreneurs to fill the digital infrastructure gap.

Source: IE