The Problems with the Data Protection Bill

In Context

  • A data protection law must safeguard and balance peoples’ right to privacy and their right to information, which are fundamental rights flowing from the Constitution. 

About the Data

  • Data is a huge collection of the information generated by different means and stored on digital platforms.
  • Data Collection and Processing are two key aspects of Data.
    • Fiduciaries are the ones who collect and handle the data whereas processing can be done by third parties too.

Digital Personal Data Protection Bill

  • The Ministry of Electronics and Information Technology has drafted a Digital Personal Data Protection (DPDP) Bill.
  • Purpose:
    • The purpose of the bill is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
      • It is India’s first attempt to domestically legislate on the issue of data protection.
  • Data Fiduciaries – The categories of Data created by the Bill are as follows:
    • Personal data: 
      • Data from which an individual can be identified like name, address etc.
      • No Data Mirroring is required.
      • Individual consent will suffice.
    • Sensitive personal data (SPD): 
      • Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
      • To be stored only in India.
      • It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
    • Critical personal data: 
      • Anything that the government at any time can deem critical, such as military or national security data
      • Critical personal data must be stored and processed in India.
    • Non-Personal Data: 
      • The Bill mandates fiduciaries to provide the government any non-personal data when demanded.
        • The ‘data fiduciary’ may be a service provider who collects, stores and uses data in the course of providing such goods and services.
      • Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
      • The previous draft did not apply to this type of data, which many companies use to fund their business model.
  • Impact on Social Media Companies: 
    • Significant Data Fiduciaries (the fiduciaries with huge volume and processing sensitive data) have to develop their own user verification mechanism.
    • It will reduce the anonymity of users and decrease trolling, fake news and cyberbullying.
  • Exemptions for Data Processing without consent: 
    • They have been provided for reasonable purposes like
      • Security of the state.
      • Detection of any unlawful activity or fraud.
      • Whistleblowing.
      • Medical emergencies.
      • Credit scoring.
      • Operation of search engines.
      • Processing of publicly available data.
  • Creation of Independent Regulator: 
    • The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition-making.
    • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
    • The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
  • Control Over Data: 
    • It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
    • The right to be forgotten is also given.
    • With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
  • Penalty – The Bill stated the penalties as:
    • Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
    • Also, the company’s executive-in-charge can also face jail terms of up to three years.

Problems with the Bill

  • In conflict ith RTI Act:
    • The Bill is criticised for seeking to dilute the provisions of the Right to Information (RTI) Act, which has empowered citizens to access information and hold governments accountable.
      • The RTI Act includes a provision to protect privacy through Section 8(1)(j). In order to invoke this Section to deny personal information, at least one of the following grounds has to be proven: 
        • The information sought has no relationship to any public activity or public interest or is such that it would cause unwarranted invasion of privacy and the Public Information Officer is satisfied that there is no larger public interest that justifies disclosure. 
    • The proposed Bill seeks to amend this Section to expand its purview and exempt all personal information from the ambit of the RTI Act.
  • In conflict with the Right to privacy:
    • By empowering the executive to draft rules on a range of issues, the proposed Bill creates wide discretionary powers for the Central government and thus fails to safeguard people’s right to privacy
      • For instance, under Section 18, it empowers the Central government to exempt any government, or even private sector entities, from the provisions of the Bill by merely issuing a notification.
  • No autonomy for the Data Protection Board:
    • The Bill does not ensure autonomy of the Data Protection Board, the institution responsible for enforcement of provisions of the law
    • Given that the government is the biggest data repository, it was imperative that the oversight body set up under the law be adequately independent to act on violations of the law by government entities. 
  • Digital by design:
    • The Bill stipulates that the Data Protection Board shall be ‘digital by design’, including receipt and disposal of complaints. 
    • As per the latest National Family Health Survey, only 33% of women in India have ever used the Internet
      • The Bill, therefore, effectively fails millions of people who do not have meaningful access to the Internet.

Way ahead

  • The challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned. 
  • The DPDP Bill needs to be suitably amended and harmonised with the provisions and objectives of the RTI Act.  

 

Daily Mains Question

[Q] A data protection law must safeguard and balance peoples’ right to privacy and their right to information & the Digital Personal Data Protection Bill fails on both counts. Analyse.