After the supreme court judgment in Justice K.S. Puttaswamy v. Union of India held that the right to privacy is a fundamental right under Article 21 of the Indian Constitution gives a push to the lawmakers of the country to frame such law related to the protection of personal information but subsequently the work on data protection has started much earlier and the personal data protection bill 2018 was redrafted by the srikrishna’s committee recommendation. The legal framework of personal data protection bill 2019 was put forth before the Indian parliament in December 2019 to ensure the purpose of protection of personal data of an individual from an authority.
The bill covers the mechanism of securing the personal data and privacy of an individual and establishment of data protection authority of India for the same under the bill. But the question arises whether the data protection bill is seriously protecting the privacy of an individual? The data protection bill was criticized for not protecting privacy absolutely as there is a clause in this that the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data. It clearly says that the person has no right to privacy against the government related to the personal data and he or she has to disclose all the information to the government agency. Though this does not apply to the private entities, your right to privacy is secured here.
About the Data Protection Bill
The personal data protection bill was presented before the lok sabha on 11 December 2019. The main aim and objective of this bill is to provide for the protection of the privacy of individuals relating to their personal data, mentioning the flow and usage of personal data, create or maintain a relationship of trust between persons and entities processing the personal data, protecting the fundamental rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and also this bill recognizes that under this bill the authority has to be established so that they can deal with all the related grievances faced by individual while breaching the privacy of an individual so a Data Protection Authority of India is proposed to be established for the said purposes and for matters connected therewith or incidental thereto.
Features of the Data Protection Bill
- It proposes that personal data should only be processed by the free consent, purpose limitation, storage limitation and data minimization etc.
- It also lays down the obligations on agencies collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal).
- It also confers the rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data
- To Establish Data Protection Authority of India (DPAI) to protect the interests of individuals, prevent misuse of personal data, ensure compliance and promote awareness about data protection
- Empower the central government to exempt any government agency from application of the proposed law
- Confer the “right of grievance” to individuals to complaint against data fiduciary
Loophole in the bill in protecting the privacy
The approach of data protection bill for the safeguards of privacy has some exempting powers as in the case of government agencies that they are allowed to have access of personal data of an individual with respect to following situations i.e. for the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign states or public order and for preventing any cognizable offence relating to the above situations. This unrestrained power to exempt the government agencies are mentioned in section 35 of the bill.
There were the criticized arguments by various experts on this section, a very famous cyber law expert Pavan Duggal commented on this bill and argued that the exemptions granted in Section 35 of the bill completely undo the objective of this (proposed) law. It puts power in the hands of the central government and specifically makes it a party, judge and adjudicator of its own cause. There are no checks and balances. As per the news related to the recent challenges that are emerging out of the reported Google and whatsapp and other social platform snooping events, the chances of abuse of power under Section 35 are very huge, without any transparency and accountability towards the relevant data principal. The ultimate target will never know how their personal data is being used by the government agencies. The section 35 of the proposed bill stands to nullify the enjoyment of personal privacy and other digital liberties in the era of digital world.
The Section 94 of the bill provides heavy burden on DPAI to regulate privacy and gave the powers that the DPAI would make regulations, rules, safeguards for protection of privacy and ensure certain restrictions on continuous or systematic collection of “sensitive” personal data etc., including even defining what is “critical” personal data. In this also Duggal commented that the DPAI has been empowered to make many regulations which should have been stipulated in the bill. The bill should have specified “critical” personal data which is the Kohinoor of this data protection crown. Besides, the element of cyber security is completely missing from the Bill, making it a paper tiger, not an effective law.
The bill also has the limitations on data processing. It proposes various limitations on data processing as the consumers have little knowledge about how their data is being managed or taken. It also proposes that data should be processed only for specific, clear, and lawful purposes, that the purpose be reasonable so that it is to be limited to those consented to by users and the only data that are beneficial for such purposes should only be collected. In addition, data storage limitations require that data be deleted once the purpose for its collection has been fulfilled. So it limits the data processing.
The Bill 2019 focuses on the intention to protect and secure the personal data and empowers the Data Principals. However there are certain facts, procedural and administrative details are absent. Even lead time and the timeline for the companies to start complying is missing. In India, the Government is not only the custodian of law and order but also continues to be an employer, service provider, responsible for monitoring the economy, businesses, banks, maintaining postal service, education, public utilities, regulating health and safety and therefore a major data fiduciary. The overrated power and exemption provided to Governmental Agencies without proper checks and balances can also be a threat in order to protect the privacy of an individual.
After going through the bill with its relation to promote privacy the concluding of this article is that after considering all the legality of the bill it clearly understood that there are some points in the bill which do not protect the privacy of an individual and hence infringing its fundamental right and therefore the bill has to legislated again or redrafted in order to protect and secure the privacy of a person who is giving his or her consent unknowingly. The privacy of a person in order to protect the data information is very necessary as there are provision under the bill that government agencies are exempted from this clause that they have the right to access a personal data of an individual and no legal proceedings can be initiated against them but this is not in the case of private entities they do not have the right to collect the personal data.
Also the Data Fiduciaries should need to seek advice and take adequate and proper steps in order to increase their preparation level of facing and put efforts in making of the new legislation. The intervening period can be effectively used to reorient their software, rejig their business practices and streamline the manner in which personal data is captured, stored and processed. Hopefully, the personal data protection bill 2019 having all the loopholes can be filled up again after going through the Joint Committee of the Houses to which it has been referred for wider consultation and after both the house considers the gap they will fill up the gaps and provide the country with a strong and secured data protection law, which is mostly a need of an hour so that privacy can be maintained.
- What is a personal data protection bill? Why was it drafted?
- What are the aim and objective of the bill?
- Whether this bill actually provides the protection of privacy?
- What are the loopholes in the bill that need to be redrafted in the bill?