IT Act, 2000 – In the Light of Personal Data Protection Bill, 2019

The introduction of the data protection Bill in furtherance to the right to privacy guaranteed by 2017 Justice K.S.Puttaswamy v. UOI judgement is a small step taken by India in establishing its position in democratic data governance. The B ill though providing for personal data protection, also provides the government a right to trespass into citizen privacy diluting data rights of citizens in the categories made fit as exemptions. Some provisions of the Bill mimic GDPR provisions requiring a lot of revisions for India to establish its leadership as a democracy which focuses on privacy protection on the Internet. Hence its strategic interest lies in its responsibility to uphold the constitution and at the same time providing citizens, their rights and economic welfare over bureaucratic interests. This article will address how the recent Data Protection Bill, 2019 provides personal data protection to individuals from the misuse of government and companies and the major features as to its uniqueness compared to previous Bills.

Introduction

India enacted the Information Technology Act, 2000 which was based on the UNCITRAL [1]model law on e-commerce. The actual IT Act in India covers much wider than what the preamble encompasses. It mainly covers matters related to data protection, security, cyber disputes, intermediary liability, and government-mandated surveillance of digital communication.

Section 43, Section 43 A and Section 72A of the Information Technology Act, 2000 and the IT Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) 2011 provides a comprehensive legal framework for cybersecurity and against privacy violations in digital form.

Section 43 of the IT Act provides punishment of imprisonment for 3 years or a fine of five lakh rupees or both for offences pertaining to the introduction of any computer contaminant or computer virus to a computer resource without the owner’s permission. Illegal accessing, the introduction of the virus and causing damage with manipulating computer accounts are included in this Section. Section 43 and 43A of the Act provide for compensation to be paid for unauthorised access to information and leakage of sensitive personal information. Section 43A mandates that the corporate body collecting personal data should provide a privacy policy to avoid misuse of personal information which includes sensitive information about a person.

IT Act of 2000 was last amended in 2011. In spite of increasing cyber frauds, data violations and cybersecurity concerns no much of a change was brought forth until the 2020 announcement by the Ministry of Electronics and Information Technology. New law is expected to focus on a stronger framework to deal with cybercrimes. Noting that cyber issues have not been adequately responded to in the present IT Act, the Minister said the government may even look at including a separate chapter on cyber issues in the revamped Act.[2]

Emerging technologies, the explosion of digital business models and a substantial increase in the instances of cybercrimes have triggered the government to take steps to fast track the process of amending the IT Act. Following MeitY’s ask, the Department for Promotion of Industry and Internal Trade has asked industry bodies for feedback. Industry lobby group National Association of Software and Service Companies (NASSCOM), Confederation of Indian Industry (CII), Federation of Indian Chambers of Commerce and Industry (FICCI), and Assocham received an email from DPIIT for sharing inputs and suggestions.[3]

The Personal Data Protection Bill, 2019

PDPB, 2019 was introduced in December in Lok Sabha by the Minister of Electronics and Information Technology. The Bill aims to provide for protection of individual privacy and to establish an authority Data Protection Authority of India for the protecting personal data of individuals. The main objective of the Bill is to delete provisions of existing 43A of Information Technology Act, 2000 and other provisions concerning compensation payable by companies for non-compliance of personal data protection but prescribe a manner in which personal information can be collected, processed, used, transferred, and stored. This current Bill aims to protect the ‘Personal Data’ of a natural person and ‘Sensitive Personal Data’. Many of the consent related clauses in the Bill are similar to those in European Union’s General Data Protection Regulation (GDPR).[4]

  • The PDPB, 2019 if passed will apply to personal data collected disclosed, stored , transferred within the territory of India

(a) by the government, any Indian Company, any citizen of India or any person or body of persons incorporated in India and

(b) Foreign companies dealing with personal data of individuals in India.

The PDPB shall not apply to processing any anonymised data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.[5]

  • Section 13 defines “Data Fiduciary” as any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data.

The personal data  is collected and stored with some limitations as to specific and clear, lawful purpose , collecting only necessary personal data, provide notice to individuals for collecting personal data , consent for obtaining data should be taken from data principal once data processing is started , parental consent should be obtained by data fiduciary in dealing with personal information of children, personal data should be used and stored only for the purpose for which it is obtained and to be deleted after the concerned need is over. A data fiduciary is termed as significant data fiduciary based on the nature and sensitiveness of the data processed, turnover of the fiduciary etc.

Along with the aforesaid duties, data fiduciaries should also undertake some specified transparency and accountability measures such as preparing a privacy policy of its own , taking necessary steps to maintain transparency of processing the personal data , imposing and implementing necessary security safeguards, encrypting and preventing misuse of data if needed, informing concerned Authority if any breach of data, auditing and conducting of its policies every year, conducting a data impact assessment for data processing involving new technologies or sensitive personal data , the appointment of data protection officer by significant data fiduciary for the purpose of advising and monitoring the data fiduciary , establish grievance redressal mechanisms for addressing individual complaints and violation risks.

  • The Bill also proposes certain exceptions where fiduciaries can process data without the consent of the person which includes if required by the State for providing benefits of the same individual, legal case and proceedings, medical emergencies, employment-related problem, reasonable purposes like prevention of cyber frauds, mergers and acquisitions, debt recovery etc.
  • Section 14 defines “Data principal” as the natural person to whom the personal data referred to in subclause of (28). There are certain rights of an individual included in the Bill. They are right to obtain confirmation from fiduciary on whether their personal data has been processed, seek correction of inaccurate , incomplete or update personal data, data portability- have personal data referred to any other data fiduciary in certain circumstances , restrict continuance of disclosure of personal information by a fiduciary if it is no longer necessary or consent is withdrawn.
  • The Bill also deals with the Data Protection Authority of India which will take steps against the misuse of personal data and ensure compliance with the Bill and spread awareness about data protection and take steps to protect the interest of individuals with the same. Further, the order can be appealed to an Appellate Tribunal and can be filed at the Supreme Court.
  • Sensitive personal data can be transferred outside India with the explicit consent of the individual subject to certain additional conditions. But certain personal data notified as critical personal data can be processed by the government only in India and  to be stored only in India.
  • The central government has the power to exempt certain agencies of the government from the applicability of the Act if it is necessary for the interest of sovereignty and integrity of the nation, state security, and cordial relationship with foreign states. Also to prevent incitement to cognisable offence related to above-mentioned matters. However processing of personal data is exempted from the Bill for the purpose of investigation , prosecution of any offence, personal domestic or journalistic purposes , for research archiving or statistical purpose.
  • On non-compliance with the Bill, there are two-tier penalties and compensations. Failure of data fiduciary to fulfil the obligations for the protection of data is punishable with a penalty extending to Rs 5 crores or 2% of its total worldwide turnover of the preceding financial year whichever is higher. Next, processing data in violation of the provisions of the PDPB is punishable with a fine of Rs 15 crores or 4% of the annual turnover of data fiduciary whichever is higher. Re- identification and processing of de-identified personal data without consent are punishable with imprisonment of up to three years or fine or both.

Conclusion

Consent of the individual would be required to process personal data and with regard to the type of personal data, organizations should have review and update mechanisms for data protection. The Bill is currently in the scrutiny of the joint parliamentary committee and once the committee passes its recommendations and suggestions the Bill will be passed. The Bill having implications far beyond India provides for a comprehensive data governance framework which can virtually affect any company attempting to have business deals with India.

References

[1] UNCITRAL model law on electronic commerce, 30 Jan 1997.

[2] https://www.thehindu.com/business/Industry/centre-to-revamp-it-act/article30925140.ece

[3]https://economictimes.indiatimes.com/tech/ites/meity-seeks-ideas-on-it-act-revamp/articleshow/75017401.cms?from=mdr

[4] https://www.lawfareblog.com/key-global-takeaways-indias-revised-personal-data-protection-bill,4 August,2020

[5] Section 91 (2:)The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of   services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Questions

Q1. Why Data Protection Bill, 2019 was introduced?

When the Supreme Court held privacy is a fundamental right in 2017 the court also observed that personal data and facts are an essential feature of the right to privacy. And hence a committee headed by Justice. B.N. Srikrishna was set up to analyse various issues of data protection in India. It came with a report along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018. Also, the Bill of 2019 is based on recommendations and suggestions of the expert committee and stakeholders.

Q2. What is the aim of the Personal Data Protection Bill?

The Bill regulates the personal data of individuals, processing, collection and storage of data.  A data principal is an individual whose personal data is processed. A Data fiduciary is an individual who decides the means and purposes of data processing. Bill majorly governs how data protection and processing is done by both government and companies incorporated in India. It also governs foreign companies if dealing with personal information of individuals in India.

Q3. Is the current 2019 Bill different from the Draft Bill suggested by the Expert Committee?

The Bill has gone through several changes from the draft Bill. The new Bill has added a new class of significant data fiduciaries as social media intermediaries. The Bill has also made exemptions for the government to direct data fiduciaries to provide with any non-personal data for better targeting of services.

Q4. How far the tech giants in India have been successful in practising privacy policies?

Currently, tech giants do not follow data localisation practice and MNC’s do sell data at the same time platforms like Whatsapp do follow strict encryption policies. It is also a matter of time and cost with efforts by the companies taken to appoint a suitable specially trained personnel as DPO.

Q5. How will the Bill not affect the open-ended exemption given to the government? And what is data localisation?

The Bill has categorised a division of data as sensitive personal data and critical personal data which will be notified by the Central government. Without the exemption, government will not be effective in its law enforcement and investigation regarding cyber frauds and other threats.  With the recommendations put forth by the Srikrishna committee and by joining hands with many global countries India with its 2019 PDPB has supported data localisation. It is a process by which entities collecting or processing data cannot store data or transfer it outside the territorial jurisdiction of the country and should store it only on local servers. However such data can be permitted for transfer subject to a reasonable level of protection from the government and companies involved. This will ensure data misuse does not happen especially with financial data of a person’s online transactions and strategic, security interest of our country.

Leave a Reply

Your email address will not be published. Required fields are marked *