Digital Personal Data Protection Bill, 2022, may not be ideal but is a step towards protection of personal data
By Manish Narwade
Hyderabad: The Supreme Court judgement of ‘R Rajagopal Vs The State of Tamil Nadu’ stated: “The freedom and right to life that are guaranteed to all citizens of this nation by Article 21 inherently include the right to privacy. A ‘right to be left alone’ exists. A citizen has a right to protect his personal space.”
Data protection and individual privacy are related. If a person has the right to privacy, she/he also has the right to data protection.
The major principles of Digital Personal Data Protection Bill, 2022, include usage of the data in a lawful way (fair and transparent); usage of the data for the reason it was collected; data minimisation; accuracy of personal data; storage limitation; reasonable safeguards and, lastly, accountability.
Section 2(1)(o) of the Information Technology Act, 2000, defines “data” as “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.”
A Legal Framework
The Bill provides a legal framework for protecting digitally stored personal data. Digital personal data will be processed while taking into account societal rights, individual privacy rights and the requirement to process personal data lawfully.
The purpose of the Bill is to control how both public and commercial organisations with domestic and international corporate structures process personal data about individuals. Data processing is only permitted with the consent of the subject, in the event of a medical emergency, or when necessary for the state to provide advantages to its inhabitants.
An individual will have a number of rights over personal data, such as the ability to request a correction or request access to the data that is kept by private businesses. The measure permits exemptions from certain types of data processing, such as processing necessary for legal procedures or in the interest of national security.
Article 12 of the Human Rights (Universal Declaration of Human Rights) states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Similarly, the International Covenant on Civil and Political Rights’ Article 17 states that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.”
The European union has one of the strictest data protection Acts – GDPR (General Data Protection Regulation). It is built on the tenets of consent, openness, protection and user control, and carries a 4% annual revenue fine threat. Other developing countries like South Africa, China, the Philippines and Argentina have enacted their own data protection Acts.
Major Loopholes
The Bill was withdrawn in 2019 by the Ministry of Electronics and Information Technology (Meity) stating that a comprehensive Bill will be released soon. Later, it was referred to Standing Committees. Still, the current DPDP Bill has major loopholes. The Internet Freedom Foundation has said the Bill lacks independence and autonomy. The duration of user data storage and whether or not it will be shared with third parties are no longer required disclosures by data fiduciaries.
In Chapter 16, clause (4), it is stated that “Data Principle shall furnish only such information as is verifiable and authentic.” The Bill does not talk about what is authentic and how information can be verifiable. Even the appointment of the board members is not clear. Not involving the leader of the opposition and Chief Justice in the selection committee may make it a “caged parrot”. It is important that the Board remain an autonomous body and be impartial in the proceedings and trials.
The Bill does not explicitly define what constitutes a reasonable and fair manner of personal data processing. As a result, fairness and reasonability principles may vary among data fiduciaries and those processing similar types of data within the same business may evolve and follow different fairness and reasonability standards. Data fiduciary is given discretionary authority under the Bill to decide whether to report data breaches and whether the data breach has negatively affected the data principle. This might lead data fiduciaries to report data breaches selectively, preventing the data protection authority DPA from being activated even when a data breach involves personal information about an individual. The Bill does not say anything about non-personal data.
Data Localisation
There is no mention of giving additional protections to sensitive data. Data protection laws in Japan, Korea and Macau give additional protection to sensitive data. The Bill talks nothing about data localisation. The 2019 Bill did mention data localisation.
The current Bill suggests that any state function may process an individual’s personal data for that purpose. If it’s done to give the person a service or benefit, it can be done without getting their permission. This directly contradicts the Puttaswamy decision (2017) that informed consent is essential to informational privacy.
It is important to know that Rome wasn’t built in a day. Regulation of data is a time-taking process. Improper regulation will result in the failure of an institution. There should not be hidden agendas and clientelism in the process of law-making. To function properly, it is important that the board members work in an autonomous way and fair manner. It is also important that institutions, industries and the corporate world have their own self-regulatory mechanism for data protection. This self-regulatory mechanism can be achieved through the impartial office of grievances redressal mechanisms.
Regulation of data is important in the current scenario. The Bill talks about the regulation of data through rules and laws, governing the collection, storage and use of personal data. In a way, it brings the idea of data regulation into the picture. The DPDP Bill may not be an ideal one but is a step towards the protection of individual personal data.